You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Django,
,
BOfH,
,
dj...@nausch.org on 2015/10/26 13:09:40 UTC
Spamassassin and amavisd-new wont' check (faked) bounce with
zip-archive/exe (maleware)
Hello list, dear Marc!
I had have a "little problem" with a mailsystem.
A few days agoe a colleague received over 200 bounce-messages and this
over 10 minutes. O.K., that was all backscatter from a software-company
in Redmond :( All those messages had have an attachment (zip archive)
with maleware.
A few minutes I was shocked, 'cause how could all AMaVis-hosts at
customer site, transport maleware in a zip-archive?! So, I tried to send
a new mail, with this zip-archive to all of our 5 MX and nowhere it was
possible to trespass our borderfilters. :)
So I tried to understand, why our AMaVis's allowed those faked
bounce-messages with mailware.
The only thing I found was those maillog-entries:
Sep 8 13:17:10 amavis-cluster-by amavis[23088]: (23088-10) bounce
rescued by domain (DSN), <> -> <re...@example.com>, date: Tue, 8 Sep
2015 12:41:24 +0200, from: Rosenbaum Group <re...@example.com>,
message-id: <HD...@example.com>, return-path:
redacted@example.com
"bounce rescued by domain (DSN)"? What's that? So I tried to ask google,
wether or not there are existing news known by others.
The only things I found was:
https://www.mail-archive.com/amavis-user@lists.sourceforge.net/msg11245.
html
http://sourceforge.net/p/amavis/mailman/amavis-user/thread/201010051713.
38050.stefan@localside.net/
and
http://www.ijs.si/software/amavisd/
" ... bounce killer feature (requires pen pals SQL logging) checks a
header section attached to received non-delivery status notifications,
and discards bounces to fake mail which do not refer to our genuine
outgoing mail;"
I'm not so fimilar with this, how p@trick told it "spam and maleware
over backscatter as esoteric problem ;)", and your "bounce killer
feature". May you tell me a few more points, what this feature can do
and if it the right point, to ban those attacks? Or there exists an
unknown feature for banning attachments (i.e. zip-archives with
maleware)? Every hint is useful!
On AMaViS 2.10 have you marked "do_ascii":
@decoders = (
['mail', \&do_mime_decode],
# [[qw(asc uue hqx ync)], \&do_ascii], # not safe
In RELEASE_NOTES you wrote:
- amavisd.conf: commented-out calls to do_ascii to match defaults in the
amavisd program; the uulib code (as invoked by Convert::UUlib) has a
history of stability problems, seems it is causing more grief compared
to the benefits it brings;
Safe or stability? What happens if I activate this encoder for
recognize those faked bounces? Is the prize high?
Thanx4help! Have a nice day!
Django
--
"Bonnie & Clyde der Postmaster-Szene!" approved by Postfix-God
http://wetterstation-pliening.info
http://dokuwiki.nausch.org
http://wiki.piratenpartei.de/Benutzer:Django
Re: Spamassassin and amavisd-new wont' check (faked) bounce with
zip-archive/exe (maleware)
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2015-10-26 at 13:09 +0100, Django[BOfH] wrote:
> Hello list, dear Marc!
>
> I had have a "little problem" with a mailsystem.
>
> A few days agoe a colleague received over 200 bounce-messages and
> this
> over 10 minutes. O.K., that was all backscatter from a software
> -company
> in Redmond :( All those messages had have an attachment (zip archive)
> with maleware.
>
Obvious first question:
Are you using SPF?
- If so, what did SA have to say about these messages?
- If not, what are you using to detect messages with forged sender
details and what did it say?
IMO the prime purpose of SPF is to detect bounce spam with
forged sender details that correspond to your site.
Are you using DKIM?
- the same SPF follow-up questions also apply to DKIM.
It would be helpful if we could see the message headers plus the
plaintest and HTML MIME parts, but don't post it here because that may
cause your message to be taken as spam: post it on DropBox or a similar
website and post the URL here.
Martin
Re: Spamassassin and amavisd-new wont' check (faked) bounce with
zip-archive/exe (maleware)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 26.10.15 13:09, Django [BOfH] wrote:
>Hello list, dear Marc!
correction: Helo spamassassn-users list - it has nothing to do with
attachment or virus scanning.
you should have contacted amavisd-new list
http://lists.amavis.org/cgi-bin/mailman/listinfo/amavis-users
>So I tried to understand, why our AMaVis's allowed those faked
>bounce-messages with mailware.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: Spamassassin and amavisd-new wont' check (faked) bounce with
zip-archive/exe (maleware)
Posted by John Hardin <jh...@impsec.org>.
On Mon, 26 Oct 2015, Django [BOfH] wrote:
> A few days agoe a colleague received over 200 bounce-messages and this
> over 10 minutes. O.K., that was all backscatter from a software-company
> in Redmond :( All those messages had have an attachment (zip archive)
> with maleware.
<plug type="shameless">http://impsec.org/email-tools/procmail-security.html</plug>
This does coexist with SA.
I've been gonna create an archive scanning plugin for a while now, no
round tuits tho.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
5 days until Halloween