Emails with java script gettign through?

Discussion in 'ISPConfig 3 Priority Support' started by rob_morin, Oct 11, 2016.

  1. rob_morin

    rob_morin Member HowtoForge Supporter

    Hello all, We get alot of emails with attached zip files with javascript viruses getting through recently. What should i be checking for?
    Sample headers of an email....

    Thanks...

    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
    by mail2.dido.ca (Postfix) with ESMTP id C7DC1B000C6
    for <[email protected]>; Thu, 6 Oct 2016 23:39:18 -0400 (EDT)
    X-Virus-Scanned: Debian amavisd-new at mail2.dido.ca
    X-Spam-Flag: YES
    X-Spam-Score: 7.214
    X-Spam-Level: *******
    X-Spam-Status: Yes, score=7.214 tagged_above=-999 required=4.5
    tests=[BAYES_00=0.1, RCVD_IN_PBL=3.335, RDNS_NONE=3,
    SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
    Received: from mail2.dido.ca ([127.0.0.1])
    by localhost (mail2.dido.ca [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id fnefG50-__LR for <[email protected]>;
    Thu, 6 Oct 2016 23:39:18 -0400 (EDT)
    Received: from [106.207.142.106] (unknown [106.207.142.106])
    by mail2.dido.ca (Postfix) with ESMTP id EF85FB000C5
    for <[email protected]>; Thu, 6 Oct 2016 23:39:16 -0400 (EDT)
    Received: (from [email protected])
    by nikanmedicalgroup.com (8.14.5/8.13.8/Submit) id E50D74FE9075;
    Fri, 07 Oct 2016 09:09:07 +0530
    (envelope-from hq)
    Date: Fri, 07 Oct 2016 09:09:07 +0530
    Message-Id: <[email protected].com>
    To: [email protected]
    Subject: ***SPAM***wrong paychecks
    X-PHP-Script: hq.nikanmedicalgroup.com/mail/message.php for 69.131.189.127, 69.131.189.127
    MIME-Version: 1.0;
    Content-Type: multipart/mixed; boundary="--adad87959d58b1c093fb437c699a825e"
    From: "Veronica Livingston" <[email protected]>
    X-SA-Exim-Connect-IP: 10.64.13.172
    X-SA-Exim-Mail-From: [email protected]
    X-SA-Exim-Scanned: No (on hq.nikanmedicalgroup.com); SAEximRunCond expanded to false

    ----adad87959d58b1c093fb437c699a825e
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: base64

    DQpIZXkgVGFuaWEuIFRoZXkgc2VuZCB1cyB0aGUgd3JvbmcgcGF5Y2hlY2tzLiBBdHRhY2hlZCBp
    cyB5b3VyIHBheWNoZWNrIGFycml2ZWQgdG8gbXkgZW1haWwgYnkgbWlzdGFrZS4NCg0KUGxlYXNl
    IHNlbmQgbWluZSBiYWNrIHRvby4NCg0KDQoNCkJlc3QgcmVnYXJkcywNClZlcm9uaWNhIExpdmlu
    Z3N0b24=

    ----adad87959d58b1c093fb437c699a825e
    Content-Type: application/x-zip-compressed; name="paychecks_d8dfe081b.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="paychecks_d8dfe081b.zip"
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Antivirus checks are done by clamav. Check that the clamav daemon is running and that it has up to date signatures. Then you should check if the zip and unzip programs are installed so that clamav can unpack the attachments for scanning.
     
  3. rob_morin

    rob_morin Member HowtoForge Supporter

    Clamav is installed and running, signatures are up to date, and zip and unzip are installed and working.... What should i check next?
     
  4. rob_morin

    rob_morin Member HowtoForge Supporter

    I do see that amavis did catch some stuff as in the below logs...
    Oct 5 01:48:47 mail2 postfix/smtp[2882]: 3DD12B000BC: to=<[email protected]>, relay=mx.videotron.ca[24.201.245.37]:25, delay=3.9, delays=0.01/0.02/3.6/0.25, dsn=5.2.0, status=bounced (host mx.videotron.ca[24.201.245.37] said: 552 5.2.0 rf4Nb8fb93wDarf4Qb1YFN message contained a virus. (in reply to end of DATA command))
     
  5. rob_morin

    rob_morin Member HowtoForge Supporter

    I also saw this in teh log too....

    Oct 6 11:46:48 mail2 amavis[30244]: (30244-04) Blocked BANNED (ringcentral_fax_6oct.pif,UNDECIPHERABLE) {NoBounceOpenRelay}, [111.82.186.176]:56483 [111.82.186.176] <[email protected]> -> <[email protected]>, Queue-ID: 5A122B000B9, Message-ID: <[email protected]>, mail_id: cMO3o-ytgu23, Hits: -, size: 39514, 116 ms
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess that clamav has just no signatures for them then.
     
  7. rob_morin

    rob_morin Member HowtoForge Supporter

    I noticed that js was not in the config set up in /etc/amavis/conf.d/20-debian_defaults
    qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
    So i added it, and restart amavis , so now its like this....
    qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl|js|jse)$'i, # banned extension - basic
     
  8. rob_morin

    rob_morin Member HowtoForge Supporter

    Ok, so now i tested by sending myself an email with a js in a zip and i get this in mail.log
    So it looks good now!
    Hope this thread helps someone else!
    Thanks..
    Oct 11 11:11:47 mail2 amavis[28298]: (28298-10) Blocked BANNED (.asc,paychecks exported EB3C961.js) {NoBounceInbound}, [69.196.20.228]:34521 [69.196.20.228] <[email protected]> -> <[email protected]>, Queue-ID: 242C1B000B3, Message-ID: <[email protected]>, mail_id: sm6yIjaxcJuG, Hits: -, size: 16585, 108 ms
     
    till likes this.

Share This Page