Unwanted mail with malware

Support
, , ,
#1

NethServer Version: 7.6.1810
Module: nethserver-mail 2.4.3-1 | clamav 0.101.0-1 | rspamd 1.8.2-2 | dovecot-antispam 0.0.49-3

Some of my users have been getting unwanted mails with malware, this mails addresses has this in common:
some.known.user@some.known.domain.user.attacker@attacker.domian.
For example:
rosario@konfort.cucancun@jbge.com.mx

rosario@konfort.cu is the mail address that is known to my user

This mails some random description like:
Please review the following invoice

And a .doc file which contains some kind of malware.

I have Anti-spam and Anti-virus features enabled, yet this messages keep getting through. Is there a rule or something I can do to stop this.

Since this mails has a @ on the user, maybe a rule might stop them. Any ideas?

1 Like
#2

I didn’t find a rule/symbol but did you try to mark these mails as spam?

Another (radical) way would be to block attachments.

You may have a look at the rspamd web interface “history” tab and check if the bad mails trigger some symbols. Then you could increase the score for the relevant symbols.

1 Like
#3

@jfernandez could you please share the malware name?
Did you consider to submit to clamav the samples or test the file with virustotal?

3 Likes
#4

you could try to create a multimap rule in a fragment template

/etc/e-smith/templates/etc/rspamd/local.d/multimap.conf/20BadUsers

#Refuse bad address with @ in the username of email address
FROM_REGEX {
    type = "from";
    map = [
    "${CONFDIR}/BadUsersFrom.map",
    ];
    action = "reject";
    prefilter = true;
    filter = "email:addr";
    symbol = "FROM_BADUSERS";
    description = "Refused list of Bad users FROM email address";
    regexp = true;
}

then create a map…YOU MUST ADD A BLANCK LINE AT THE END

# cat /etc/rspamd/BadUsersFrom.map
/.*@.*@.*\..*$/

then launch the event

signal-event nethserver-mail-filter-save

as a side note we could start some rules to refuse bad email address @davidep @giacomo

#5

Shouldn’t that work also by setting it in the Rspamd UI?

#6

why not but we miss this at minimal in our map setting

#7

and change also the validator

#8

…it seems a dangerous default :smiley:

1 Like
#9

It’s a Emotet variant, clamav is dealing with it. All hail the mighty ClamAV !!!

I’m dealing with this Trojan on Windows PC, I went on lockdown mode (drop every request from green zone to red zone except for specific services, enable log for rules on firewall) and started to check every request having a LAN IP and some strange port (8080, 20, 22, 5000, etc), like this

// Starting on date/time 2019-01-25 12:00:00, show me every dropped or rejected LAN IP routing, exclude (DNS, HTTP, HTTPS, NTP)
journalctl -x -S '2019-01-25 12:00:00' | grep 'SRC=192.168' | egrep -v 'DPT=80|443|123|53' | egrep 'DROP|REJECT' | egrep 'DPT|SRC'

then I went to everyone of this affected PC and using:

netstat -ano | findstr :yourPortNumber // Gives you a PID
tasklist | findstr yourProccessPID // Gives you a proccess name

I found weird ( *.exe with recent modified/created date on C:\Windows and C:\Windows\SysWOW64) processes on those computers, so I did some digging on Internet and none of this apps have something to do with Windows, so I deleted them all, and the requests on the firewall stopped.

#10

One thing I noticed from all this messages is that all of them have the FORGED_SENDER symbol

@mrmarkuz could you tell me how to do this? Also, please give a link to some tutorials about rspam ?

If I want to reject all mails marked with FORGED_SENDER symbol, how much should I increase his value?

#11

Just move the mail from inbox to junk to mark as spam:

http://docs.nethserver.org/en/v7/mail.html#anti-spam

Rspamd tutorial:

https://rspamd.com/doc/tutorials/

Rspamd score of 20 rejects the mail completely.

2 Likes