Daniel Reinhardt
Website: www.cryptodan.com
Email: [EMAIL PROTECTED]
Junior Network Security Engineer
----- Original Message ----
> From: "MacShane, Tracy" <[EMAIL PROTECTED]>
> To: Postfix users <postfix-users@postfix.org>
> Sent: Sunday, November 16, 2008 11:00:29 PM
> Subject: RE: Body checks and warning log
>
> >
> > ----- Original Message ----
> > > From: mouss
> > > To: Postfix users
> > > Sent: Friday, November 14, 2008 7:58:45 AM
> > > Subject: Re: Body checks and warning log
> > >
> > > MacShane, Tracy wrote:
> > > > I'm trying to create a very simple body check for a limited time
> to
> > > > get an indicative idea of how many users may be sending credit
> card
> > > > numbers via email. ...
> > > > Our security people are having wibbles about this logging regime,
> so
> > > > I was wondering if there was some way to ensure the WARN action
> > > > doesn't log the matched line (I can obviously append a truncated
> > > > version of the apparent number with the optional text), or if
> there
> > > > might be a better way to do this auditing task.
> > > >
> > >
> > >
> > > you can use HOLD, then have a cron job to check the message and
> release it.
> > >
> > > Alternatively, you can use FILTER to pass the message to another
> smtpd. example:
> > >
> > >
> > > == body_checks:
> > > /..../ FILTER filter:[127.0.0.1]:25666
> > >
> > > == master.cf
> > > 127.0.0.1:25666 ..... smtpd
> > > -o syslog_name=postwatch
> > > -o receive_override_options=no_address_mappings
> > > -o mynetworks=127.0.0.1
> > > -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
> > > ...
> > >
> > > == main.cf
> > > smtpd666_recipient_restrictions=
> > > check_client_access pcre:/etc/postfix/logcard
> > > permit_mynetworks
> > > reject
> > >
> > > == logcard
> > > /./ WARN credit card blah blah
> > >
> > >
> > > note that this will override your content filter setting. if you had
>
> > > one, then make sure it is used in the :25666 smtpd (either explicit
> -o content_filter=...
> > > in master.cf, or a content_filter=... in main.cf will do).
> > >
> > > PS. if you use clamav, check its Data Loss Protection feature.
> >
> > Do you have American Express cards covered and other store
> > based credit cards? Also do you account for the expiration
> > date and 3 digit security code?
> >
> >
> >
>
> Thanks for the great suggestions, mouss. We use Trend Micro IMSS, which
> is very similar to amavisd. I'm sure we can work around it.
>
> Daniel, I'm not too concerned about absolute accuracy at this stage,
> since I just want to assess whether we need to take firmer measures. The
> regexp I have should trap Amex numbers, although there may be a number
> of false positives. I'll be reviewing them manually in any case. I'm not
> worried about the expiration date or security code (with the latter, I
> know of at least one example of a "pay-by-email" form that didn't
> require that number at all) - I'm not planning to *use* the cards, heh.
> Also, I believe crooks can use a credit card number to generate both an
> expiry date and security code using some algorithm.
Well some people usually give more information then needed, and a security code
will provide a criminal with more access to commit fraud. Just trying to make
sure all your bases are covered.
