logging attachement hashes

Andreas Schulze via amavis-users amavis-users at amavis.org
Thu Dec 19 13:43:35 CET 2013


Am 05.12.2013 09:18 schrieb Ralf Kirmis via amavis-users:
> has anyone creative ideas on how to evaluate those hash values?

I could imagine an extension to amavis to lookup the hash in external databases like a dnsbl.
Could be implemented as virusscanner for example.
The implementation should be able to include/exclude specific mime-types, extensions, sender, receiver, or whatever amavis already can do.

Unfortunately I can't implement this :-(

Andreas

> -----Ursprüngliche Nachricht-----
> Von: amavis-users [mailto:amavis-users-bounces+rk=wizard.de at amavis.org] Im Auftrag von Andreas Schulze via amavis-users
> Gesendet: Dienstag, 5. November 2013 13:44
> An: amavis-users at amavis.org
> Betreff: logging attachement hashes
> 
> I wrote a patch to enable amavisd logging a hash of each mimepart of a message.
> As a result we have a nice logging about attachment with randomized names:
> Nov  5 13:24:34 amavis amavis[63605]: (63605) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_915348761926.zip
> Nov  5 13:24:47 amavis amavis[64401]: (64401) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_246684491810.zip
> Nov  5 13:24:49 amavis amavis[37512]: (37512) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_385492343722.zip
> Nov  5 13:25:11 amavis amavis[23929]: (23929) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_410730648345.zip
> Nov  5 13:25:28 amavis amavis[23927]: (23927) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_067966022207.zip
> Nov  5 13:25:35 amavis amavis[23931]: (23931) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_886327295193.zip
> Nov  5 13:25:49 amavis amavis[23923]: (23923) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_079214708084.zip
> Nov  5 13:25:58 amavis amavis[23936]: (23936) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_381806514856.zip
> 
> Looking at these logs it's very easy to identify malicius content still not detected by virusscanners.

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen


More information about the amavis-users mailing list