Unwanted mail with malware

NethServer Version: 7.6.1810
Module: nethserver-mail 2.4.3-1 | clamav 0.101.0-1 | rspamd 1.8.2-2 | dovecot-antispam 0.0.49-3

Some of my users have been getting unwanted mails with malware, this mails addresses has this in common:
some.known.user@some.known.domain.user.attacker@attacker.domian.
For example:
rosario@konfort.cucancun@jbge.com.mx

rosario@konfort.cu is the mail address that is known to my user

This mails some random description like:
Please review the following invoice

And a .doc file which contains some kind of malware.

I have Anti-spam and Anti-virus features enabled, yet this messages keep getting through. Is there a rule or something I can do to stop this.

Since this mails has a @ on the user, maybe a rule might stop them. Any ideas?

1 Like

I didn’t find a rule/symbol but did you try to mark these mails as spam?

Another (radical) way would be to block attachments.

You may have a look at the rspamd web interface “history” tab and check if the bad mails trigger some symbols. Then you could increase the score for the relevant symbols.

1 Like

@jfernandez could you please share the malware name?
Did you consider to submit to clamav the samples or test the file with virustotal?

3 Likes

you could try to create a multimap rule in a fragment template

/etc/e-smith/templates/etc/rspamd/local.d/multimap.conf/20BadUsers

#Refuse bad address with @ in the username of email address
FROM_REGEX {
    type = "from";
    map = [
    "${CONFDIR}/BadUsersFrom.map",
    ];
    action = "reject";
    prefilter = true;
    filter = "email:addr";
    symbol = "FROM_BADUSERS";
    description = "Refused list of Bad users FROM email address";
    regexp = true;
}

then create a map…YOU MUST ADD A BLANCK LINE AT THE END

# cat /etc/rspamd/BadUsersFrom.map
/.*@.*@.*\..*$/

then launch the event

signal-event nethserver-mail-filter-save

as a side note we could start some rules to refuse bad email address @davidep @giacomo

Shouldn’t that work also by setting it in the Rspamd UI?

why not but we miss this at minimal in our map setting

and change also the validator

…it seems a dangerous default :smiley:

1 Like

It’s a Emotet variant, clamav is dealing with it. All hail the mighty ClamAV !!!

I’m dealing with this Trojan on Windows PC, I went on lockdown mode (drop every request from green zone to red zone except for specific services, enable log for rules on firewall) and started to check every request having a LAN IP and some strange port (8080, 20, 22, 5000, etc), like this

// Starting on date/time 2019-01-25 12:00:00, show me every dropped or rejected LAN IP routing, exclude (DNS, HTTP, HTTPS, NTP)
journalctl -x -S '2019-01-25 12:00:00' | grep 'SRC=192.168' | egrep -v 'DPT=80|443|123|53' | egrep 'DROP|REJECT' | egrep 'DPT|SRC'

then I went to everyone of this affected PC and using:

netstat -ano | findstr :yourPortNumber // Gives you a PID
tasklist | findstr yourProccessPID // Gives you a proccess name

I found weird ( *.exe with recent modified/created date on C:\Windows and C:\Windows\SysWOW64) processes on those computers, so I did some digging on Internet and none of this apps have something to do with Windows, so I deleted them all, and the requests on the firewall stopped.

One thing I noticed from all this messages is that all of them have the FORGED_SENDER symbol

@mrmarkuz could you tell me how to do this? Also, please give a link to some tutorials about rspam ?

If I want to reject all mails marked with FORGED_SENDER symbol, how much should I increase his value?

Just move the mail from inbox to junk to mark as spam:

http://docs.nethserver.org/en/v7/mail.html#anti-spam

Rspamd tutorial:

https://rspamd.com/doc/tutorials/

Rspamd score of 20 rejects the mail completely.

2 Likes