Malware - Delete mail or attachment

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply
agatha
Normal user
Normal user
Posts: 46
Joined: 2015-10-30 11:13

Malware - Delete mail or attachment

Post by agatha » 2015-12-10 17:09

When a virus is found, HMS either deletes the e-mail or only the attachment.

But it would be helpful - especially in case of a false positive - when the e-mail or the attachment is not deleted but moved to a special folder.

QuentinLeMee
New user
New user
Posts: 5
Joined: 2015-12-10 21:53

Re: Malware - Delete mail or attachment

Post by QuentinLeMee » 2015-12-10 21:56

Hello,

I'm using hMailServer as an Exchange server backend with spamassassin and ClamAV.
I'm trying to do exactly the same thing: move virus mail in the spam directory.

For SpamAssassin, there is a header that allows me to make a custom rule, and I think that it would be great to have the same thing for Virus mail !

(And maybe the option to keep the file in case of false-positive !)

Thanks a lot !

User avatar
mattg
Moderator
Moderator
Posts: 20289
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Malware - Delete mail or attachment

Post by mattg » 2015-12-11 00:28

I'm sorry

You have a KNOWN virus as an attachment (NOT a potential SPAM message) and you want to keep the attachment?? That could be very dangerous...

I am unsure how a message with a known virus as an attachment could possibly be a false positive.
Anti-VIRUS detection looks for known viruses. Anti-SPAM looks at SPAM potential, and I can certainly see false positives for SPAM, but definitely not for Viruses

What Am I missing??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

QuentinLeMee
New user
New user
Posts: 5
Joined: 2015-12-10 21:53

Re: Malware - Delete mail or attachment

Post by QuentinLeMee » 2015-12-11 00:36

Yes, I totally understand you.

I'm using ClamAV with (maybe) some unverified databases.
This cause ClamAV to detect some mails as "Virus" whereas it's more a spam.

This is the case that I want to be able to manage. I think that hMailServer should only delete attachments and add a header to the mail, but for the moment it adds "Virus Found" on the subject and the mail content.
(I'm not totally sure that this is related, but in these cases some mail display as Base64 encoded because of this text...)

Thanks !

User avatar
mattg
Moderator
Moderator
Posts: 20289
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Malware - Delete mail or attachment

Post by mattg » 2015-12-11 05:43

QuentinLeMee wrote:Y but for the moment it adds "Virus Found" on the subject and the mail content...
That is set in Server messages

Make virus found empty and see if that does what you want
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

agatha
Normal user
Normal user
Posts: 46
Joined: 2015-10-30 11:13

Re: Malware - Delete mail or attachment

Post by agatha » 2015-12-11 10:18

I am unsure how a message with a known virus as an attachment could possibly be a false positive.
That depends on the signatures. Especially when heuristic is used.
Im my case, I use ClamAV with signatures from sanesecurity and from securite.

QuentinLeMee
New user
New user
Posts: 5
Joined: 2015-12-10 21:53

Re: Malware - Delete mail or attachment

Post by QuentinLeMee » 2015-12-12 15:20

mattg wrote:
QuentinLeMee wrote:Y but for the moment it adds "Virus Found" on the subject and the mail content...
That is set in Server messages

Make virus found empty and see if that does what you want
I've tried this, but I still have base64 encoded virus messages...
I also get some encoded messages like this: "Cette ann=C3=A9e, votre No=C3=ABl sera connect=C3=A9 =21 Mesurez, am=C3= =A9liorez, capturez et partagez vos exploits sportifs en toute simplicit=C3=A9 avec notre s=C3=A9lection de produits techno =21 =23GOSPORT"

It looks like my client can't detect the text-encoding used when message is modified (I'm using outlook, but it is the same with thundebird and my mobile client)

Thanks !

User avatar
mattg
Moderator
Moderator
Posts: 20289
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Malware - Delete mail or attachment

Post by mattg » 2015-12-30 06:11

QuentinLeMee wrote:I'm using ClamAV with (maybe) some unverified databases.
This cause ClamAV to detect some mails as "Virus" whereas it's more a spam.
I've worked out that you can use ClamAV scores in Spamassassin >> https://wiki.apache.org/spamassassin/ClamAVPlugin

Then you could NOT use the hMailserver ClamAV integration and achieve what you need
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

QuentinLeMee
New user
New user
Posts: 5
Joined: 2015-12-10 21:53

Re: Malware - Delete mail or attachment

Post by QuentinLeMee » 2016-01-18 22:51

Hello,

After a while for tests, It seems to be working great this way.
ClamAV integrated in SpamAssassin.

If anyone want, i've edited sources of ClamAV plugin, that wasn't working on a Windows Server 2012.

Thanks !

Quentin

User avatar
mattg
Moderator
Moderator
Posts: 20289
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Malware - Delete mail or attachment

Post by mattg » 2016-01-19 00:46

so you have clamd running as a windows service on Server 2012?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

QuentinLeMee
New user
New user
Posts: 5
Joined: 2015-12-10 21:53

Re: Malware - Delete mail or attachment

Post by QuentinLeMee » 2016-01-19 13:53

Absolutely yes, I'm using winserv for this, as explained in this post:
https://www.lyquidity.com/devblog/?p=417

But, now ClamAV isn't anymore called by hMailServer, instead it's called using the SpamAssassin plugin, and the ClamAV score is added to the SpamAssassin's one.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Malware - Delete mail or attachment

Post by jimimaseye » 2016-01-19 14:33

I know this has been discussed before but.......

....if a virus attachment is on an email, why wouldnt you want HMS to delete the attachment? Yet instead you further leave the risk that the untrained/uninitiated user believes that the email (just because it has their name in it and is from someone they think they deal with) is a false positive/genuine one and goes ahead and opens the attachment anyway (despite the "[SPAM]" subject?

Surely the very rare occasion where a genuine attachment gets deleted ('false positive') means that you can just contact the original sender again and remedy this. "Dear sender, did you send me an email this morning because..."?

(And lets face it, youre using CLamAv so getting a false positive is nigh-on impossible given that it even struggles to identify REAL GENUINE threats within a year of release.. You may of course though be using 3rd party signatures which are likely to be more more tightly controlled, more productive, and even less likely to have a false positive than an average mainstream product).

(BTW, I used NSSM for Clamd service installed as detailed in here: viewtopic.php?f=21&t=26829)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20289
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Malware - Delete mail or attachment

Post by mattg » 2016-01-19 15:30

I asked earlier Jim

Using ClamAV for Sane Security Heuristics is anti-SPAM not AntiVirus

As you've noted, Sane Security make ClamAV useful, ClamAV is pretty useless on it's own
You can set ClamAV to score heuristics differently than viruses (although it's not foolproof) >>
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Malware - Delete mail or attachment

Post by jimimaseye » 2016-01-19 15:34

I believe you scan it twice though, right Matt? Use the SA clam plugin detection for heuristics and then scan again within HMS and let it delete and 'virus found' attachments?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20289
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Malware - Delete mail or attachment

Post by mattg » 2016-01-19 15:44

Yes I have been, but I guess you don't need to.

I've just had a look and found a mail that was scored for SPAM, but the message had no attachment, so there was nothing deleted (my settings just delete virus attachments, not delete email)

Code: Select all

Return-Path: 	replies@email.SPAMMER.com.au
Delivered-To: 	spam@mydomin.com.au
X-Spam-Checker-Version: 	SpamAssassin 3.4.0 (2014-02-07) on ubuntu
X-Spam-Flag: 	YES
X-Spam-Level: 	*************
X-Spam-Status: 	Yes, score=13.3 required=3.0 tests=ADD_TO_SCORE,CLAMAV, HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=disabled version=3.4.0
X-Spam-Virus: 	Yes (Heuristics.Phishing.Email.SpoofedDomain)
X-Spam-Report: 	* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no * trust * [192.86.51.102 listed in list.dnswl.org] * 2.2 ADD_TO_SCORE BODY: This simply adds 2.2 to the score * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 10 CLAMAV Clam AntiVirus detected a virus * [Heuristics.Phishing.Email.SpoofedDomain] * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
Received: 	from ... by mx.mydomain.com.au with ESMTP ; Mon, 18 Jan 2016 22:54:44 +1000
DKIM-Signature: 	v=1; a=rsa-sha1;XXXXXXXXXXXXXXXXXXXXXXXXX=
Received: 	from ... for <matt@mydomain.com.au>; Mon, 18 Jan 2016 06:33:58 -0500 (envelope-from <...>)
Received: 	from ... for <matt@mydomain.com.au>; Mon, 18 Jan 2016 06:33:54 -0500 (envelope-from <...>)
Date: 	Mon, 18 Jan 2016 06:33:54 -0500
From: 	....com.au>
Reply-To: 	...com.au>
Subject: 	[hMailServer says this is SPAM] We've found a new job opportunity you may be interested in
To: 	matt@mydomain.com.au
...
X-hMailServer-Spam: 	YES
X-hMailServer-Reason-3: 	Tagged as Spam by SpamAssassin - (Score: 13)
X-hMailServer-Reason-Score: 	13
X-hMailServer-LoopCount: 	1
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Malware - Delete mail or attachment

Post by jimimaseye » 2016-01-19 17:30

[*]Maybe that email didn't have an attachment the first place. It shows

Heuristics.Phishing.Email.SpoofedDomain

as being the clam detection so is about the body or header contents rather than an attachment?

I would imagine that the clam plugin will score 10 on any detection and unless you set clamav to delete on virus detection I would imagine it always passes the attachments back to hms.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20289
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Malware - Delete mail or attachment

Post by mattg » 2016-01-20 01:58

Yes it probably didn't have an attachment, I agree

But the ClamAV scanning with Sane Security definitions is what got this message marked as SPAM and sent to my spam account / folder
jimimaseye wrote:I would imagine that the clam plugin will score 10 on any detection and unless you set clamav to delete on virus detection I would imagine it always passes the attachments back to hms.
Exactly what the OP wanted to achieve

Me, I run ClamAV virus scanning inline, and so any virus attachments on my system will be removed (not quarantined)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Malware - Delete mail or attachment

Post by RvdH » 2018-09-29 17:05

I have some difficulties getting the "X-Spam-Virus" header displayed...

I got some 2 or 3 mails that have been tagged by spamassassin using the ClamAVPlugin plugin, i see the scores being added but not the headers

Anyone has an idea?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Malware - Delete mail or attachment

Post by RvdH » 2018-09-29 17:47

Nevermind...found the issue :oops:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: Malware - Delete mail or attachment

Post by insomniac2k2 » 2018-10-01 03:23

This is not directly answering your inquiry, but it I figured that I would share how I am configured. I am very happy with my results.

I use Spamassassin to call ClamAV + sanesecurity. As others have stated, ClamAV is completely useless. But when you add sanesecurity, you end up with quite an amazing product. Comparable (frankly better) to any other AV product out there, in my experience.

For a while, this was enough, but I didn't like having my spam and virus email being handled in the same way. e.g. both going to the end user with a high score, but no real way of indicating if it was a virus or spam. That's when i stumbled across this plugin: https://wiki.apache.org/spamassassin/Cl ... ipleScores

This was a complete game changer for me. This allowed me to pass spam emails through to my exchange server (for it to handle), and for me to score virus email high enough for hmailserver to just delete. Here is how i score my emails:

Code: Select all


# Look for specific types of ClamAV detections
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,30}Phishing/i
header __CLAMAV_PHISH_HEUR X-Spam-Virus =~ /Yes.{1,30}Phishing\.Heuristics\.Email/
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity/i
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,30}MBL/
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,30}MSRBL/
header __CLAMAV_VX X-Spam-Virus =~ /Yes.{1,30}VX\./

# Give the above rules a very late priority so that they can see the output
# of previous rules - otherwise they don't work! Not sure what the correct
# priority should be but this seems to work...
priority __CLAMAV_PHISH 9999
priority __CLAMAV_PHISH_HEUR 9999
priority __CLAMAV_SANE 9999
priority __CLAMAV_MBL 9999
priority __CLAMAV_MSRBL 9999
priority __CLAMAV_VX 9999


# Work out what ClamAV detected and score accordingly

# ClamAV general signatures
meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_MBL && !__CLAMAV_MSRBL && !__CLAMAV_VX)
describe CLAMAV_VIRUS Virus found by ClamAV default signatures
score CLAMAV_VIRUS 50.0

# ClamAV phishing signatures
meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_PHISH_HEUR)
describe CLAMAV_PHISH Phishing email found by ClamAV default signatures
score CLAMAV_PHISH 15.0

# ClamAV phishing with heuristic engine (not signatures based, may lead to false positives)
# Available since ClamAV 0.91
meta CLAMAV_PHISH_HEUR (CLAMAV && __CLAMAV_PHISH_HEUR)
describe CLAMAV_PHISH_HEUR Phishing email found by ClamAV heuristic engine
score CLAMAV_PHISH_HEUR 2.0

# ClamAV SaneSecurity signatures from http://www.sanesecurity.com/clamav/
meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE)
describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
score CLAMAV_SANE 7.5

# ClamAV MBL signatures from http://www.malware.com.br/
meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL)
describe CLAMAV_MBL Malware found by ClamAV MBL signatures
score CLAMAV_MBL 7.5

# ClamAV MSRBL signatures from http://www.msrbl.com/
meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL)
describe CLAMAV_MSRBL SPAM found by ClamAV MSRBL signatures
score CLAMAV_MSRBL 2.0

# ClamAV SecuriteInfo.com VX malware signatures from
# http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml
meta CLAMAV_VX (CLAMAV && __CLAMAV_VX)
describe CLAMAV_VX Malware found by SecuriteInfo.com VX signatures
score CLAMAV_VX 5.0
i score virus emails 50. I delete anything over 14. YMMV

Post Reply