Some of my users have been getting unwanted mails with malware, this mails addresses has this in common:
some.known.user@some.known.domain.user.attacker@attacker.domian.
For example:
rosario@konfort.cucancun@jbge.com.mx
rosario@konfort.cu is the mail address that is known to my user
This mails some random description like:
Please review the following invoice
And a .doc file which contains some kind of malware.
I have Anti-spam and Anti-virus features enabled, yet this messages keep getting through. Is there a rule or something I can do to stop this.
Since this mails has a @ on the user, maybe a rule might stop them. Any ideas?
You may have a look at the rspamd web interface “history” tab and check if the bad mails trigger some symbols. Then you could increase the score for the relevant symbols.
#Refuse bad address with @ in the username of email address
FROM_REGEX {
type = "from";
map = [
"${CONFDIR}/BadUsersFrom.map",
];
action = "reject";
prefilter = true;
filter = "email:addr";
symbol = "FROM_BADUSERS";
description = "Refused list of Bad users FROM email address";
regexp = true;
}
then create a map…YOU MUST ADD A BLANCK LINE AT THE END
It’s a Emotet variant, clamav is dealing with it. All hail the mighty ClamAV !!!
I’m dealing with this Trojan on Windows PC, I went on lockdown mode (drop every request from green zone to red zone except for specific services, enable log for rules on firewall) and started to check every request having a LAN IP and some strange port (8080, 20, 22, 5000, etc), like this
// Starting on date/time 2019-01-25 12:00:00, show me every dropped or rejected LAN IP routing, exclude (DNS, HTTP, HTTPS, NTP)
journalctl -x -S '2019-01-25 12:00:00' | grep 'SRC=192.168' | egrep -v 'DPT=80|443|123|53' | egrep 'DROP|REJECT' | egrep 'DPT|SRC'
then I went to everyone of this affected PC and using:
netstat -ano | findstr :yourPortNumber // Gives you a PID
tasklist | findstr yourProccessPID // Gives you a proccess name
I found weird ( *.exe with recent modified/created date on C:\Windows and C:\Windows\SysWOW64) processes on those computers, so I did some digging on Internet and none of this apps have something to do with Windows, so I deleted them all, and the requests on the firewall stopped.