final_virus_destiny D_REJECT

Rob McKennon rmckennon at monetra.com
Wed Apr 27 21:34:36 CEST 2016 


On 04/26/2016 02:25 PM, Mark Martinec wrote:
> Rob McKennon wrote:
>>>> Hello,
>>>>
>>>> We are setting up Amavis and Clamav to detect credit cards coming into
>>>> our email, and it's working.  However, it's returning the original
>>>> email to the sender, which also contains the credit card numbers.
>>>> Receiving the credit card numbers is bad enough, sending them back out
>>>> again violates PCI. Is there a way to reject the email without
>>>> returning the original email content?  Below is a returned email with
>>>> test numbers as an example.
>>>>
>>>> Thank you,
>>>> Rob McKennon
>>>>
>>>>                   The mail system
>>>>
>>>> <xxxxxxxxxx>: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject,
>>>> id=06026-19 - INFECTED: Heuristics.Structured.CreditCardNumber (in
>>>> reply to end of DATA command)
>>>>
>>>> Final-Recipient: rfc822;xxxxxxxxxxxxx
>>>> Original-Recipient: xxxxxxxxxxxxxx
>>>> Action: failed
>>>> Status: 5.7.0
>>>> Remote-MTA: dns; 127.0.0.1
>>>> Diagnostic-Code: smtp; 554 5.7.0 Reject, id=06026-19 - INFECTED:
>>>> Heuristics.Structured.CreditCardNumber
>
>
> This looks like a bounce message from an MTA (not from amavisd).
>
> Preferably you should use a setup where amavisd is invoked
> before-queue, so that a D_REJECT will affect the original
> client session and no non-delivery notification will be sent.
>
> Alternatively, with postfix you can limit the amount of a message
> body that is included in a bounce generated by postfix:
>
>
>  bounce_size_limit (default: 50000)
>
>   The maximal amount of original message text that is sent in a
>   non-delivery notification. Specify a byte count. A message is
>   returned as either message/rfc822 (the complete original) or
>   as text/rfc822-headers (the headers only). With Postfix version
>   2.4 and earlier, a message is always returned as message/rfc822
>   and is truncated when it exceeds the size limit.
>
>
>
> A third option is to use D_BOUNCE as a destiny, so that
> the bounce will be generated by amavisd and not by a MTA.
> Such bounce will only include message header, no body of
> the bounced message.
>
> Of these three options, the only recommended one is to use
> amavisd in a before-queue setup and reject unwanted messages
> while they are being received.
>
>   Mark
Thanx Mark,

We decided to go with the bounce_size_limit = 1 .   This way a bounce is 
sent back so the sender knows they messed up, but does not send the 
credit-card numbers back out.

We also found that it has alot of false positives, for which we have 
sent in bug fixes.

Have a great day!

Rob.

More information about the amavis-users mailing list