> Hi, > In the last few weeks I've seen a increase in the number of e-mails with > nasty .doc or .xls files, generally with some sort of invoice supposedly > in them. Can postfix be reliably configured to block them at source.
There are a number of techniques that could be deployed against it. None of them are, "Easy". And nothing concerning viruses could ever be classified as, "Safe". Incoming attachments from people you don't know ... Considered Harmful. Especially if those attachment filetypes support, "Macro"s. :( > Below is a message header, the relevant but of the maillog and my > configuration: > > Return-Path: <maiertim9...@safewaydriving.com> > Received: from localhost (localhost [127.0.0.1]) > by server.mydomain.co.uk (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.v6) > with LMTPA; > Wed, 10 Feb 2016 17:41:36 +0000 > X-Sieve: CMU Sieve 2.3 > X-Virus-Scanned: amavisd-new at mydomain.co.uk > X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made > up > entirely of whitespace (char 09 hex): Content-Type: > ...80A65A5A6F0709FA513B7426538A615A81AC6E9920_"\n\t > X-Spam-Flag: YES > X-Spam-Score: 5.42 > X-Spam-Level: ***** > X-Spam-Status: Yes, score=5.42 tagged_above=-99 required=5 > tests=[HTML_MESSAGE=0.001, RCVD_IN_BRBL=2.5, > RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274, URIBL_BLOCKED=0.001] > autolearn=no > Received: from [51.179.106.180] (unknown [51.179.106.180]) > by mailserver.mydomain.co.uk (Postfix) with ESMTP id 9BB74E427F > for <ourfam...@mydomain.co.uk>; Wed, 10 Feb 2016 17:41:30 +0000 (GMT) > From: Tim Maier <maiertim9...@safewaydriving.com> > To: <ourfam...@mydomain.co.uk> > Subject: [virus VBA/TrojanDownloader.Agent.ASA trojan] [SPAM] > > =?UTF-8?B?UmVtaXR0YW5jZSBhZHZpY2UgZnJvbSBTa3kgR3JvdXA6IEFjY291bnQgTm8uIDgwNTczOQ==?= > Thread-Topic: Remittance advice from Sky Group: Account No. 805739 > Thread-Index: 9E9A0863698CAF3C254C6A950+B141== > Date: Wed, 10 Feb 2016 18:41:27 +0200 > Message-ID: > <97495148876b4c8ecebe19312419b8ec215b9...@567d24e77.safewaydriving.com> > Accept-Language: en-US > Content-Language: en-US > X-MS-Has-Attach: yes > X-MS-TNEF-Correlator: > MIME-Version: 1.0 > X-MC-Unique: 223161351459233692 > Content-Type: multipart/mixed; > > boundary="_929_604EEBAB9DEEDAD880A65A5A6F0709FA513B7426538A615A81AC6E9920_" > X-EsetResult: clean (cleaned), contained > VBA/TrojanDownloader.Agent.ASA trojan > X-EsetId: 26366E2C4DACF56B3C7E31301FB3F36B677D637342 > > > Feb 10 17:41:35 server postfix/qmgr[5845]: 9BB74E427F: > from=<maiertim9...@safewaydriving.com>, size=70986, nrcpt=1 (queue > active) > Feb 10 17:41:35 server postfix/smtpd[15970]: connect from > localhost[127.0.0.1] > Feb 10 17:41:35 server postfix/smtpd[15962]: disconnect from > unknown[51.179.106.180] > Feb 10 17:41:35 server postfix/smtpd[15970]: 300FBE5AD9: > client=localhost[127.0.0.1] > Feb 10 17:41:35 server postfix/cleanup[15965]: 300FBE5AD9: > message-id=<97495148876b4c8ecebe19312419b8ec215b9...@567d24e77.safewaydriving.com> > Feb 10 17:41:35 server postfix/qmgr[5845]: 300FBE5AD9: > from=<maiertim9...@safewaydriving.com>, size=70986, nrcpt=1 (queue > active) > Feb 10 17:41:35 server postfix/smtpd[15970]: disconnect from > localhost[127.0.0.1] > Feb 10 17:41:35 server postfix/pipe[15968]: 9BB74E427F: > to=<ourfam...@mydomain.co.uk>, relay=mailprefilter, delay=5, > delays=4.8/0.01/0/0.22, dsn=2.0.0, status=sent (delivered via > mailprefilter service) > Feb 10 17:41:35 server postfix/qmgr[5845]: 9BB74E427F: removed > Feb 10 17:41:36 server postfix/smtpd[15974]: connect from > localhost[127.0.0.1] > Feb 10 17:41:36 server postfix/smtpd[15974]: 5BAABE55C3: > client=localhost[127.0.0.1] > Feb 10 17:41:36 server amavis[7088]: (07088-14) INFO: unfolded 1 > illegal all-whitespace continuation lines > Feb 10 17:41:36 server postfix/cleanup[15965]: 5BAABE55C3: > message-id=<97495148876b4c8ecebe19312419b8ec215b9...@567d24e77.safewaydriving.com> > Feb 10 17:41:36 server postfix/smtpd[15974]: disconnect from > localhost[127.0.0.1] > Feb 10 17:41:36 server postfix/qmgr[5845]: 5BAABE55C3: > from=<maiertim9...@safewaydriving.com>, size=71471, nrcpt=1 (queue > active) > Feb 10 17:41:36 server amavis[7088]: (07088-14) Passed SPAMMY, LOCAL > [127.0.0.1] [51.179.106.180] <maiertim9...@safewaydriving.com> -> > <ourfam...@mydomain.co.uk>, Message-ID: > <97495148876b4c8ecebe19312419b8ec215b9...@567d24e77.safewaydriving.com>, > mail_id: 6AdaL2ErBI7J, Hits: 5.42, size: 70986, queued_as: 5BAABE55C3, > 1078 ms > Feb 10 17:41:36 server postfix/smtp[15971]: 300FBE5AD9: > to=<ourfam...@mydomain.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, > delay=1.3, delays=0.1/0.09/0/1.1, dsn=2.0.0, status=sent (250 2.0.0 > from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 5BAABE55C3) > Feb 10 17:41:36 server postfix/qmgr[5845]: 300FBE5AD9: removed > Feb 10 17:41:36 server lmtp[15978]: Delivered: > <97495148876b4c8ecebe19312419b8ec215b9...@567d24e77.safewaydriving.com> > to mailbox: user.ourfamily.Junk > Feb 10 17:41:36 server postfix/pipe[15976]: 5BAABE55C3: > to=<ourfam...@mydomain.co.uk>, relay=mailpostfilter, delay=0.32, > delays=0.08/0/0/0.24, dsn=2.0.0, status=sent (delivered via > mailpostfilter service) > Feb 10 17:41:36 server postfix/qmgr[5845]: 5BAABE55C3: removed > > > postconf -n > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > bounce_queue_lifetime = 6h > broken_sasl_auth_clients = yes > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = mailprefilter > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > disable_vrfy_command = yes > header_checks = regexp:/etc/postfix/header_checks > html_directory = no > inet_interfaces = all > inet_protocols = ipv4 > local_recipient_maps = $alias_maps $virtual_alias_maps > luser_relay = > mail_owner = postfix > mailbox_size_limit = 102400000 > mailbox_transport = mailpostfilter > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 51200000 > message_strip_characters = \0 > mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain > mydomain = mydomain.co.uk > myhostname = mailserver.mydomain.co.uk > mynetworks = 127.0.0.0/8, 192.168.10.0/24, 172.17.2.0/23 > myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES > recipient_delimiter = + > relayhost = [smtp.ntlworld.com]:25 > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_sasl_auth_enable = no > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = noanonymous > smtp_sender_dependent_authentication = yes > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > smtp_use_tls = yes > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unknown_recipient_domain, > reject_unauth_pipelining, reject_invalid_hostname, > reject_non_fqdn_hostname, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_unauth_destination, > reject_rbl_client zen.spamhaus.org, reject_rbl_client > 2.0.0.127.b.barracudacentral.org > smtpd_sasl_auth_enable = no > smtpd_sasl_local_domain = $mydomain > smtpd_sasl_security_options = noanonymous > smtpd_sender_restrictions = permit_mynetworks, > reject_non_fqdn_sender, reject_invalid_hostname > smtpd_tls_CAfile = /etc/pki/CA/ca-cert.pem > smtpd_tls_auth_only = no > smtpd_tls_cert_file = /etc/pki/CA/mailserver.mydomain.co.uk.pem > smtpd_tls_key_file = > /etc/pki/CA/private/mailserver.mydomain.co.uk.key.pem > smtpd_tls_loglevel = 1 > smtpd_use_tls = yes > strict_rfc821_envelopes = yes > transport_maps = hash:/etc/postfix/transport > unknown_local_recipient_reject_code = 550 > unverified_sender_reject_code = 550 > virtual_alias_maps = $alias_maps, $virtual_maps, > ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf > > Regards, > > Nick > Aloha mai Nai`a. -- " So this is how Liberty dies ... http://kapu.net/~mjwise/ " To Thunderous Applause.
