Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does
francis picabia
fpicabia at gmail.com
Fri Aug 24 20:41:26 CEST 2012
I have a user who likes to report his phishing and spam to banks,
or spam/fraud reporting email addresses. It has revealed
amavis + clam are capable of stopping these. That is good.
However I'd rather it had been blocked on the inbound and this
is what I'm having trouble with. I don't understand how it is
getting in but being found only when outbound.
I know that clam + amavis is stopping some types of
malware and phishing on the inbound MX, as I can see these
in the logs (these are just sample matches, not a trace
for a particular email in and out):
/var/log/amavisd.9.gz:Aug 15 18:40:56 mailmx1 amavis[17355]:
(17355-08) Blocked INFECTED (Email.FBI.Scam), [217.146.176.150]
[76.97.214.250] <fbi.gov1 at aol.com> -> <user at myserver.example.com>,
quarantine: virus-B6GPM2MSO72A, Message-ID:
<53768.14962.bm at smtp129.mail.ukl.yahoo.com>, mail_id: B6GPM2MSO72A,
Hits: -, size: 10114, 121 ms
On the outbound SMTP, it can block outbound which had passed via the
server above:
/var/log/amavisd.6.gz:Aug 18 09:51:45 smtp1 amavis[2808]: (02808-19)
Blocked INFECTED (Heuristics.Phishing.Email.SSL-Spoof),
ORIGINATING/MYNETS LOCAL [XXX.YYY.200.97] [XXX.YYY.200.97] <> ->
<ibanking at ib.rbc.com>, quarantine: j/virus-jtffHFHT7zp1, Message-ID:
<b54ad7a4-9a15-49c8-8d8b-a09ffeb84101 at example.com>, mail_id:
jtffHFHT7zp1, Hits: -, size: 15455, 280 ms
My focus has been looking at the configuration which is specific to
ORIGINATING/MYNETS in
amavis/conf.d/50-user (SMTP where outbound catches it is debian) Whatever it
has going on is the winning formula I'd think.
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1, # is true in MYNETS by default, but let's make it explicit
os_fingerprint_method => undef, # don't query p0f for internal clients
};
# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 0,
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
bypass_spam_checks_maps => ( [ "!.$mydomain", "." ] ),
inet_acl => [ "127.0.0.0/8", "XXX.YYY.201.36", "XXX.YYY.201.37",
"XXX.YYY.201.19", "XXX.YYY.200.21", "XXX.YYY.200.5", "XXX.YYY.201.5"
],
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};
I can't see anything special making it work there.
I do notice some tagging on the MX server's logs, but it doesn't block:
/var/log/amavisd.9.gz:Aug 15 06:39:30 mailmx1 amavis[7654]: (07654-08)
run_av (ClamAV-clamd):
/var/amavis/tmp/amavis-20120815T063030-07654/parts INFECTED:
HTML.Phishing.Bank-1127
/var/log/amavisd.9.gz:Aug 15 06:39:30 mailmx1 amavis[7654]: (07654-08)
Turning AV infection into a spam report: score=0.1,
AV:HTML.Phishing.Bank-1127=0.1
/var/log/amavisd.9.gz:Aug 15 06:39:31 mailmx1 amavis[7654]: (07654-08)
SPAM-TAG, <www-data at sycoweb.com> -> <sdogra at exchange.example.com>, No,
score=5.694 tagged_above=0 required=6.2
tests=[AV:HTML.Phishing.Bank-1127=0.1, HTML_IMAGE_ONLY_16=1.048,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.105, URIBL_PH_SURBL=3.44]
autolearn=disabled
Maybe these are the successes to build on. What does it take to make
those into "Blocked INFECTED" cases?
I have a feeling there is a configuration problem I'm not seeing.
More information about the amavis-users
mailing list