question: notification for infected mails

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
agatha
Normal user
Normal user
Posts: 49
Joined: 2015-10-30 11:13

question: notification for infected mails

Post by agatha » 2016-11-21 16:35

Hello together!

I would like to forward all mails (or count them at least) that contained malware. So I can easily see, if there is a peak in such mails.

My setup regarding this issue seams to be a bit problematic:

- All mails are mirrored to a certain address (Settings->Advanced->Mirror)
- Mails, that contained malware are deleted an the recipient will be notified (Settings->Anti-virus->General)
- The string "[VIRUS]" is added to the subject of such mails

My first attempt:
I set up a global rule, that all mails the subject contains "[VIRUS]" are forwarded to xy@xy.com. In combination with the mirror I get 30 mails until the loop count reaches its maximum. Because every time such a mail is mirrored, it generates the forwarding and this forwarding also contains this subject an so on.

My second attempt:
I add a criteria to the rule: X-hMailServer-LoopCount with the value "equals 1". This reduces the forwarding to 2 mails for 1 infected mail.

Quite better, but very inelegant.

There must be a way, that only "original" mails are affected by a rule. Not mails that are only mirrored. But I can not find a criteria in the header.

It does not need to be a forward - any other "notification" is OK.

Maybe someone has a good idea or has already solved this problem for his own.

Thanks
Agatha

User avatar
jimimaseye
Moderator
Moderator
Posts: 8713
Joined: 2011-09-08 17:48

Re: question: notification for infected mails

Post by jimimaseye » 2016-11-21 23:21

Erm..... why dont you just look at the hmailserver STATUS screen? "Viruses detected". I have this script called by my nightly backup bat file (reporting the numbers to my backup output logfile so its automated):

Code: Select all

   Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate("Administrator", "ImNotTellingYou" )

   wscript.echo vbCrLf
   wscript.echo "HMS Server Start Time: " & oApp.status.StartTime
   wscript.echo "HMS Daily Spam Reject count: " & oApp.status.RemovedSpamMessages
   wscript.echo "HMS Daily Viruses Removed count: " & oApp.status.RemovedViruses & vbCrLf
Or you can simply open an logfile and search for the word "VIRUS" (logged under APPLICATION logging). Again, simply count its occurences (MS word will count them for you).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Re: question: notification for infected mails

Post by ras07 » 2016-11-21 23:43

jimimaseye's reply is probably best, but if you still want to go the forwarding route, just add a rule criteria that says Recipient List does not include <mirroraddress.domain.com>.

User avatar
mattg
Moderator
Moderator
Posts: 21028
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: question: notification for infected mails

Post by mattg » 2016-11-22 01:24

agatha wrote:My second attempt:
I add a criteria to the rule: X-hMailServer-LoopCount with the value "equals 1". This reduces the forwarding to 2 mails for 1 infected mail.
close
Try X-hMailServer-LoopCount with the value "less than 1" Or what RAS07 says above. Either option will work.

FYI,
#1 if a virus is found using the Antivirus settings in hMailserver you don't have the option to add '[Virus]' to the subject line - that is only for SPAM
Your only options are to delete the attachment, or delete the message entirely.

#2 not many antivirus software detect malware. The best is ClamAV with SaneSecurity updates, but without that ClamAV is next to useless

#3 if you really want to see malware sent to you, use SpamAssassin and add the ClamAV connector to SpamAssassin, and then add the SaneSecurity definitions to ClamAV. This way the 'Malware' is seen more correctly as SPAM, rather than as a Virus
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

agatha
Normal user
Normal user
Posts: 49
Joined: 2015-10-30 11:13

Re: question: notification for infected mails

Post by agatha » 2016-11-22 10:43

Thanks for the replies!
Try X-hMailServer-LoopCount with the value "less than 1"
I tried this. In this case no mail is forwarded.
just add a rule criteria that says Recipient List does not include <mirroraddress.domain.com>
Thanks for this hint. This creates still a loop but when the address to which the messages are forwarded is also excluded, then it works!
#1 if a virus is found using the Antivirus settings in hMailserver you don't have the option to add '[Virus]' to the subject line - that is only for SPAM
Your only options are to delete the attachment, or delete the message entirely.
Yes, you have this option. Not in the same way as it is solved for SPAM, but in Settings->Advanced->Server messages->VIRUS_FOUND
#2 not many antivirus software detect malware. The best is ClamAV with SaneSecurity updates, but without that ClamAV is next to useless
I use ClamAV with some signatures from Sanesecurity*) and with signatures from securiteinfo.com. You are very right that the "standard signatures" are pretty worthless.
#3 if you really want to see malware sent to you, use SpamAssassin and add the ClamAV connector to SpamAssassin, and then add the SaneSecurity definitions to ClamAV. This way the 'Malware' is seen more correctly as SPAM, rather than as a Virus
OK. But I want the original infected mails to be deleted - not just marked. Some users just do not care if the mail is marked - they open the attachement anyway.
I have this script called by my nightly backup bat file
This sounds interesting. But I am not very good at scripting. I will try this but I think, this will lead to some more questions ...
Or you can simply open an logfile and search for the word "VIRUS"
Of course. I also log the clamd events. But it is not very comfortable. I would prefer an automated solution.

*)
sanesecurity.ftm
sigwhitelist.ign2
rogue.hdb
junk.ndb
foxhole_filename.cdb
foxhole_generic.cdb
foxhole_all.cdb
phish.ndb
badmacro.ndb
jurlbl.ndb
scam.ndb
winnow_malware.hdb
winnow_extended_malware.hdb
crdfam.clamav.hdb

User avatar
jimimaseye
Moderator
Moderator
Posts: 8713
Joined: 2011-09-08 17:48

Re: question: notification for infected mails

Post by jimimaseye » 2016-11-22 14:41

Very convoluted and unnecessarily so IMO.

I use Clam, have viruses stripped, and the resultant email sent to trash, and at the end of the day I know how many. How? Well, see my first post.

1, Antivirus settings - General - "DELETE ATTACHMENTS" ticked.
2, General rule: if SUBJECT 'regular expression' (?i:^Virus found:.*$) then ..(delete/move to trash, whatever you want)
3, Run the script I post above or look at the STATUS screen (for AV count)

No mirroring, forwarding, anything else required. Viruses detected, emails removed, and count provided just as you requested.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

agatha
Normal user
Normal user
Posts: 49
Joined: 2015-10-30 11:13

Re: question: notification for infected mails

Post by agatha » 2016-11-22 16:09

Very convoluted and unnecessarily so IMO.

I use Clam, have viruses stripped, and the resultant email sent to trash, and at the end of the day I know how many. How? Well, see my first post.
I guess you misunderstood it.

The mirroring applies to all mails. It is meant to archive all mails. It has nothing to do with the malware - but it had to to with the problem of the loop. That was the reason, I mentioned it.

The target, why I want those "results" is to know, when an exceptional number of malware is received. Of course, I could look at the logs every day - but that is not what I want. I would like to have an automatic "hint".

To forward affected mails is one way to achieve this (it now works). Another way would be to count daily and to send a message when a certain limit is reached. But the forwarding also shows in an easy way, which senders or recipients are affected.

That is OK for me and I do not see a way, that is easier for this behalf? Only seeing the absolute number when I manually look is not the target.

A lot better would be a kind of quarantine. Which means that mails are moved to a special folder before they (or their attachments) are deleted. But as I know, the removal takes place, before any rule can jump in. Maybe a future release will add a "move" in addition to "delete".

User avatar
jimimaseye
Moderator
Moderator
Posts: 8713
Joined: 2011-09-08 17:48

Re: question: notification for infected mails

Post by jimimaseye » 2016-11-22 16:15

Fair enough. I guess I didn't fully understand what you were trying to acheive. My answer gave a solution to my understanding of what you were asking.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 21028
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: question: notification for infected mails

Post by mattg » 2016-11-22 17:26

agatha wrote:A lot better would be a kind of quarantine. Which means that mails are moved to a special folder before they (or their attachments) are deleted. But as I know, the removal takes place, before any rule can jump in. Maybe a future release will add a "move" in addition to "delete".
mattg wrote:#3 if you really want to see malware sent to you, use SpamAssassin and add the ClamAV connector to SpamAssassin, and then add the SaneSecurity definitions to ClamAV. This way the 'Malware' is seen more correctly as SPAM, rather than as a Virus
Then set your spam mark score low enough to be useful, and your delete mark extremely high

I also use a global rule to forward all mail marked as SPAM to a spam@mydomain.com.au address, which then has an account level rule to move these messages into a public IMAP folder that multiple (selected) people can see, and different permissions each for.

My setup is probably quite convoluted. :D
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

agatha
Normal user
Normal user
Posts: 49
Joined: 2015-10-30 11:13

Re: question: notification for infected mails

Post by agatha » 2016-11-23 14:28

Then set your spam mark score low enough to be useful, and your delete mark extremely high
I have done this - but I want handle spam an infected mails in a different way. People should be able to read mails, that are marked as spam by themselves (because it is a lot of spam) - but infected mails should not be accessible.
If all the users would think before they open an attachment - it would be great. But that is unfortunately not how it works. You can tell them to be carefully and the next day: "look an attachment - invoice.zip sounds important!" *click* (I know, I can block certain attachments - but it is not reasonable to block all of them).
My setup is probably quite convoluted.
For me, it would not fit my privacy issues if so many mails are seen by some "superusers". But this ignored, it seems to be a well working set up.

I like it very much, that HMS separates malware from spam, so that it can be handled differently. But since HMS just deletes malware (or mails that are suspected to contain malware) it forces me to use only low risk signatures for false positives.

A quarantine or only a global rule that steps in before virus detection takes place would be an elegant way to avoid this "swim or sink".

User avatar
mattg
Moderator
Moderator
Posts: 21028
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: question: notification for infected mails

Post by mattg » 2016-11-23 15:22

agatha wrote:But since HMS just deletes malware (or mails that are suspected to contain malware) it forces me to use only low risk signatures for false positives..
But that's my point

If you use the Antivirus section of hMailsevrer yes the attachment will be deleted
If you use Spamassassin with ClamAV scoring, then the message is treated as a SPAM message, not as a Virus.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

agatha
Normal user
Normal user
Posts: 49
Joined: 2015-10-30 11:13

Re: question: notification for infected mails

Post by agatha » 2016-11-23 17:04

But that's my point
But how do you differentiate between spam and malware?

Or do you say: spam and malware is both unwanted an so it is treated the same way? That is consequent but it leads to the following problem:
- when you have a low score for spam, you will get a lot of mails (and a lot of false positives) in your public folder.
- when you have a higher score for spam, you will reduce the mails in the public folder, but more real spam is completely unmarked in the inboxes.

And above, when you mark spam and malware flag, you have to be much more careful with malware. Because you do not know, why it is flagged. Is it only spam or is it even malware (especially when spoofed addresses are used). You just need more time and more effort to examine it.

In my opinion, spam an malware are two different things. Spam is irritating and malware is dangerous.

User avatar
mattg
Moderator
Moderator
Posts: 21028
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: question: notification for infected mails

Post by mattg » 2016-11-24 01:06

So I'm confused

Do you want to inspect the malware or delete it?
I offered you a solution to do either, and all I seem to be getting back is a desire to have an argument about the philosophy of whether malware is spam or a Virus
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

agatha
Normal user
Normal user
Posts: 49
Joined: 2015-10-30 11:13

Re: question: notification for infected mails

Post by agatha » 2016-11-24 11:31

Do you want to inspect the malware or delete it?
Well, it is a balance between effort and benefit.

The first target is, that users do not get infected mails. The second target is, that I do not have to inspect hundreds of spam mails per day.

Of course, your setup works. When you invest the time to inspect all the mail marked as spam.

But I do not want to mix up spam an malware. So for me, your solution will not work. That is all.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8713
Joined: 2011-09-08 17:48

Re: question: notification for infected mails

Post by jimimaseye » 2016-11-24 11:35

Why not.....


1, apply Matts method to evaluate using the CLAMAV plugin in spamassassin.
2, have a rule that looks for the rule header ("Clamav_virus" or whatever the rule header is) that gets applied if detected and then does the forward and then the delete of the email

That way the email will be forwarded to whatever quarantine/deletion you want of it for statistics/storage without the end user receiving it.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

agatha
Normal user
Normal user
Posts: 49
Joined: 2015-10-30 11:13

Re: question: notification for infected mails

Post by agatha » 2016-11-24 14:33

Why not.....
OK, good idea.

I did not know, that I can have a different header for the case a mail is marked as spam because of a match of the clamav definitions.
That could be nice.

Thanks.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8713
Joined: 2011-09-08 17:48

Re: question: notification for infected mails

Post by jimimaseye » 2016-11-24 14:39

I was referring to the headers that appear in the spamassassin report in the message source

eg,

Code: Select all

X-Spam-Report: 
 * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 *  7.0 MY_PHISH_BODY pay/itun/App/acc/detected (verif|update... etc)
 *  0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
 *
I have not used the clamav plugin that matt is using but I would think it leaves some sort of identifiable header that you can then search for and act upon if it exists (following a postive malware detection).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 21028
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: question: notification for infected mails

Post by mattg » 2016-11-24 15:40

Code: Select all

* 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL 
* [41.114.198.230 listed in zen.spamhaus.org]
* 0.4 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000]
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 1.0000]
* 5.0 ZIP_ATTACHED BODY: email contains a ZIP file attachment
* 2.2 ADD_TO_SCORE FULL: This simply adds 2.2 to score to match hMailserver
* 0.0 CLAMAV Clam AntiVirus detected something... * [Sanesecurity.Malware.26490.JsHeur.UNOFFICIAL]
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
* 15 CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
* 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 HELO_MISC_IP Looking for more Dynamic IP Relays
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

agatha
Normal user
Normal user
Posts: 49
Joined: 2015-10-30 11:13

Re: question: notification for infected mails

Post by agatha » 2016-11-25 09:54

@mattg
@jimimaseye
That is in deed interesting. Thank you.
CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
I guess, this is a result of the CLAMAV plugin for spamassassin? That means - as you mentioned before - I can use the malware definitions I want as definitions for spamassassin?

And we are talking about this: https://wiki.apache.org/spamassassin/ClamAVPlugin ?

I will see, if it is a good idea for my purposes. It is a way to separate spam from malware without being forced to delete infected mails.
However, spamassassin does not work a reliable as clamav (I get errors that HMS can not connect to spamassassin from time to time) and I am not sure, if a pear based plug in will increase its reliability.

But anyway I will give it a try.

Post Reply