Hello all, We get alot of emails with attached zip files with javascript viruses getting through recently. What should i be checking for? Sample headers of an email.... Thanks... Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by mail2.dido.ca (Postfix) with ESMTP id C7DC1B000C6 for <[email protected]>; Thu, 6 Oct 2016 23:39:18 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at mail2.dido.ca X-Spam-Flag: YES X-Spam-Score: 7.214 X-Spam-Level: ******* X-Spam-Status: Yes, score=7.214 tagged_above=-999 required=4.5 tests=[BAYES_00=0.1, RCVD_IN_PBL=3.335, RDNS_NONE=3, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail2.dido.ca ([127.0.0.1]) by localhost (mail2.dido.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnefG50-__LR for <[email protected]>; Thu, 6 Oct 2016 23:39:18 -0400 (EDT) Received: from [106.207.142.106] (unknown [106.207.142.106]) by mail2.dido.ca (Postfix) with ESMTP id EF85FB000C5 for <[email protected]>; Thu, 6 Oct 2016 23:39:16 -0400 (EDT) Received: (from hq@localhost) by nikanmedicalgroup.com (8.14.5/8.13.8/Submit) id E50D74FE9075; Fri, 07 Oct 2016 09:09:07 +0530 (envelope-from hq) Date: Fri, 07 Oct 2016 09:09:07 +0530 Message-Id: <20161007090907.adad87959d58b1c093fb437c699a825e@nikanmedicalgroup.com> To: [email protected] Subject: ***SPAM***wrong paychecks X-PHP-Script: hq.nikanmedicalgroup.com/mail/message.php for 69.131.189.127, 69.131.189.127 MIME-Version: 1.0; Content-Type: multipart/mixed; boundary="--adad87959d58b1c093fb437c699a825e" From: "Veronica Livingston" <[email protected]> X-SA-Exim-Connect-IP: 10.64.13.172 X-SA-Exim-Mail-From: [email protected] X-SA-Exim-Scanned: No (on hq.nikanmedicalgroup.com); SAEximRunCond expanded to false ----adad87959d58b1c093fb437c699a825e Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 DQpIZXkgVGFuaWEuIFRoZXkgc2VuZCB1cyB0aGUgd3JvbmcgcGF5Y2hlY2tzLiBBdHRhY2hlZCBp cyB5b3VyIHBheWNoZWNrIGFycml2ZWQgdG8gbXkgZW1haWwgYnkgbWlzdGFrZS4NCg0KUGxlYXNl IHNlbmQgbWluZSBiYWNrIHRvby4NCg0KDQoNCkJlc3QgcmVnYXJkcywNClZlcm9uaWNhIExpdmlu Z3N0b24= ----adad87959d58b1c093fb437c699a825e Content-Type: application/x-zip-compressed; name="paychecks_d8dfe081b.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="paychecks_d8dfe081b.zip"
Antivirus checks are done by clamav. Check that the clamav daemon is running and that it has up to date signatures. Then you should check if the zip and unzip programs are installed so that clamav can unpack the attachments for scanning.
Clamav is installed and running, signatures are up to date, and zip and unzip are installed and working.... What should i check next?
I do see that amavis did catch some stuff as in the below logs... Oct 5 01:48:47 mail2 postfix/smtp[2882]: 3DD12B000BC: to=<[email protected]>, relay=mx.videotron.ca[24.201.245.37]:25, delay=3.9, delays=0.01/0.02/3.6/0.25, dsn=5.2.0, status=bounced (host mx.videotron.ca[24.201.245.37] said: 552 5.2.0 rf4Nb8fb93wDarf4Qb1YFN message contained a virus. (in reply to end of DATA command))
I also saw this in teh log too.... Oct 6 11:46:48 mail2 amavis[30244]: (30244-04) Blocked BANNED (ringcentral_fax_6oct.pif,UNDECIPHERABLE) {NoBounceOpenRelay}, [111.82.186.176]:56483 [111.82.186.176] <[email protected]> -> <[email protected]>, Queue-ID: 5A122B000B9, Message-ID: <[email protected]>, mail_id: cMO3o-ytgu23, Hits: -, size: 39514, 116 ms
I noticed that js was not in the config set up in /etc/amavis/conf.d/20-debian_defaults qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic So i added it, and restart amavis , so now its like this.... qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl|js|jse)$'i, # banned extension - basic
Ok, so now i tested by sending myself an email with a js in a zip and i get this in mail.log So it looks good now! Hope this thread helps someone else! Thanks.. Oct 11 11:11:47 mail2 amavis[28298]: (28298-10) Blocked BANNED (.asc,paychecks exported EB3C961.js) {NoBounceInbound}, [69.196.20.228]:34521 [69.196.20.228] <[email protected]> -> <[email protected]>, Queue-ID: 242C1B000B3, Message-ID: <[email protected]>, mail_id: sm6yIjaxcJuG, Hits: -, size: 16585, 108 ms