Emails with java script gettign through?

Discussion in 'ISPConfig 3 Priority Support' started by rob_morin, Oct 11, 2016.

  1. rob_morin

    rob_morin Member

    Hello all, We get alot of emails with attached zip files with javascript viruses getting through recently. What should i be checking for?
    Sample headers of an email....

    Thanks...

    Return-Path: <Livingston.254@nikanmedicalgroup.com>
    X-Original-To: rob@24365.ca
    Delivered-To: rob@24365.ca
    Received: from localhost (localhost [127.0.0.1])
    by mail2.dido.ca (Postfix) with ESMTP id C7DC1B000C6
    for <rob@24365.ca>; Thu, 6 Oct 2016 23:39:18 -0400 (EDT)
    X-Virus-Scanned: Debian amavisd-new at mail2.dido.ca
    X-Spam-Flag: YES
    X-Spam-Score: 7.214
    X-Spam-Level: *******
    X-Spam-Status: Yes, score=7.214 tagged_above=-999 required=4.5
    tests=[BAYES_00=0.1, RCVD_IN_PBL=3.335, RDNS_NONE=3,
    SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
    Received: from mail2.dido.ca ([127.0.0.1])
    by localhost (mail2.dido.ca [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id fnefG50-__LR for <rob@24365.ca>;
    Thu, 6 Oct 2016 23:39:18 -0400 (EDT)
    Received: from [106.207.142.106] (unknown [106.207.142.106])
    by mail2.dido.ca (Postfix) with ESMTP id EF85FB000C5
    for <rob@24365.ca>; Thu, 6 Oct 2016 23:39:16 -0400 (EDT)
    Received: (from hq@localhost)
    by nikanmedicalgroup.com (8.14.5/8.13.8/Submit) id E50D74FE9075;
    Fri, 07 Oct 2016 09:09:07 +0530
    (envelope-from hq)
    Date: Fri, 07 Oct 2016 09:09:07 +0530
    Message-Id: <20161007090907.adad87959d58b1c093fb437c699a825e@nikanmedicalgroup.com>
    To: rob@24365.ca
    Subject: ***SPAM***wrong paychecks
    X-PHP-Script: hq.nikanmedicalgroup.com/mail/message.php for 69.131.189.127, 69.131.189.127
    MIME-Version: 1.0;
    Content-Type: multipart/mixed; boundary="--adad87959d58b1c093fb437c699a825e"
    From: "Veronica Livingston" <Livingston.254@nikanmedicalgroup.com>
    X-SA-Exim-Connect-IP: 10.64.13.172
    X-SA-Exim-Mail-From: Livingston.254@nikanmedicalgroup.com
    X-SA-Exim-Scanned: No (on hq.nikanmedicalgroup.com); SAEximRunCond expanded to false

    ----adad87959d58b1c093fb437c699a825e
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: base64

    DQpIZXkgVGFuaWEuIFRoZXkgc2VuZCB1cyB0aGUgd3JvbmcgcGF5Y2hlY2tzLiBBdHRhY2hlZCBp
    cyB5b3VyIHBheWNoZWNrIGFycml2ZWQgdG8gbXkgZW1haWwgYnkgbWlzdGFrZS4NCg0KUGxlYXNl
    IHNlbmQgbWluZSBiYWNrIHRvby4NCg0KDQoNCkJlc3QgcmVnYXJkcywNClZlcm9uaWNhIExpdmlu
    Z3N0b24=

    ----adad87959d58b1c093fb437c699a825e
    Content-Type: application/x-zip-compressed; name="paychecks_d8dfe081b.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="paychecks_d8dfe081b.zip"
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Antivirus checks are done by clamav. Check that the clamav daemon is running and that it has up to date signatures. Then you should check if the zip and unzip programs are installed so that clamav can unpack the attachments for scanning.
     
  3. rob_morin

    rob_morin Member

    Clamav is installed and running, signatures are up to date, and zip and unzip are installed and working.... What should i check next?
     
  4. rob_morin

    rob_morin Member

    I do see that amavis did catch some stuff as in the below logs...
    Oct 5 01:48:47 mail2 postfix/smtp[2882]: 3DD12B000BC: to=<lemoyne@videotron.ca>, relay=mx.videotron.ca[24.201.245.37]:25, delay=3.9, delays=0.01/0.02/3.6/0.25, dsn=5.2.0, status=bounced (host mx.videotron.ca[24.201.245.37] said: 552 5.2.0 rf4Nb8fb93wDarf4Qb1YFN message contained a virus. (in reply to end of DATA command))
     
  5. rob_morin

    rob_morin Member

    I also saw this in teh log too....

    Oct 6 11:46:48 mail2 amavis[30244]: (30244-04) Blocked BANNED (ringcentral_fax_6oct.pif,UNDECIPHERABLE) {NoBounceOpenRelay}, [111.82.186.176]:56483 [111.82.186.176] <cleftinggwia5@regenesis.com> -> <gabe@streetforce.ca>, Queue-ID: 5A122B000B9, Message-ID: <4BZEPI7385F0@regenesis.com>, mail_id: cMO3o-ytgu23, Hits: -, size: 39514, 116 ms
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess that clamav has just no signatures for them then.
     
  7. rob_morin

    rob_morin Member

    I noticed that js was not in the config set up in /etc/amavis/conf.d/20-debian_defaults
    qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
    So i added it, and restart amavis , so now its like this....
    qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl|js|jse)$'i, # banned extension - basic
     
  8. rob_morin

    rob_morin Member

    Ok, so now i tested by sending myself an email with a js in a zip and i get this in mail.log
    So it looks good now!
    Hope this thread helps someone else!
    Thanks..
    Oct 11 11:11:47 mail2 amavis[28298]: (28298-10) Blocked BANNED (.asc,paychecks exported EB3C961.js) {NoBounceInbound}, [69.196.20.228]:34521 [69.196.20.228] <rob@24365.ca> -> <rob@2box.ca>, Queue-ID: 242C1B000B3, Message-ID: <c8d8ae9006f4b409ac3ed5f6cd0a9a45@24365.ca>, mail_id: sm6yIjaxcJuG, Hits: -, size: 16585, 108 ms
     
    till likes this.

Share This Page