Virus attack my mail OLETOOLS_FAIL

i_combo · September 1, 2020, 4:27pm

Recently our nethserver 7 was attack by Spam and Virus. I’d check Rspam/History found as bellowing

FROM_NEQ_DISPLAY_NAME (4) [nuri.com.my,kreditevi.az]
MISSING_MID (2.5)
RECEIVED_SPAMHAUS_XBL (2) [41.212.95.22:received]
MX_INVALID (0.5)
MIME_HTML_ONLY (0.2)
BAD_REP_POLICIES (0.1)
MIME_GOOD (-0.1) [multipart/mixed]
HAS_X_SOURCE (0)
IP_REPUTATION_HAM (0) [asn: 36351(-0.30), country: US(-0.01), ip: 119.81.90.226(0.00)]
DKIM_TRACE (0) [nuri.com.my:+]
ASN (0) [asn:36351, ipnet:119.81.64.0/18, country:US]
TO_DN_ALL (0)
RCVD_VIA_SMTP_AUTH (0)
RCVD_TLS_ALL (0)
HAS_X_GMSV (0) [enquiry@nuri.com.my]
R_SPF_ALLOW (0) [+a]
RCVD_COUNT_TWO (0) [2]
HAS_X_AS (0) [enquiry@nuri.com.my]
GREYLIST (0) [pass,body]
NEURAL_SPAM (0) [1.488]
FROM_EQ_ENVFROM (0)
DMARC_NA (0) [nuri.com.my]
R_DKIM_ALLOW (0) [nuri.com.my:s=default]
HAS_X_ANTIABUSE (0)
OLETOOLS_FAIL (0) [failed to scan, maximum retransmits exceed - err: RETURN_PARSE_ERROR]
FROM_HAS_DN (0)
RCPT_COUNT_ONE (0) [1]
MIME_TRACE (0) [0:+,1:~,2:~]
TO_MATCH_ENVRCPT_ALL (0)
HAS_ATTACHMENT (0)

And there are attached file as “somefilename.doc” which inflect virus.
Would you help advise how to fix this

saitobenkei · September 2, 2020, 7:11am

I have also noticed that many times emails with office attachments containing viruses pass the rspamd/oletools filter with the same error.

I have “solved” by rejecting all office documents and sending an email reply to send the documents or compressed or deposit them on the corporate NextCloud
I did not do it on Nethserver but with a script on “hmailserver mail server” interposed in the mail flow.

i_combo · September 2, 2020, 7:18am

Thanks @saitobenkei In that case what about simple Doc, Xls that is no macro? Can we received them?

saitobenkei · September 2, 2020, 8:01am

No matter what the file contains, if it is an office document it is rejected in any case with an email warning both to the sender and to the recipient, unless the sender or the sender’s domain is in whitelist.

It is time to start educating people not to send office documents as email attachments without compressing them or turning them into PDFs.

If it were up to me the emails would still be in pure text format without attachments…

i_combo · September 2, 2020, 11:25am

I found @stephdl ever post in this link https://github.com/rspamd/rspamd/issues/2899
Expected behavior
When you use a TCP socket, Rspamd expects that the service could not be reachable, then if the Clamd service does not answer, the SYMBOL CLAM_VIRUS_FAIL is added (this symbol can be used to do a force_action after). But when Rspamd cannot connect to the Unix socket of Clamd, apart a maillog warning, nothing is done.

We would like to make a soft reject of emails if Rspamd cannot contact Clamd, this is our security mail policy.

The simple workaround is to use now a TCP socket with Clamd, but we wonder if it is not an issue to fix, for example if Postfix cannot use the Unix socket of Rspamd, the policy is to soft reject all received emails.

Any help appreciated,
I’m using
NethServer release 7.8.2003 (final)
rspamd 2.2
ClamAV 1.5.1

Below is rspamd.conf

[root@mail ~]# cat /etc/clamd.d/rspamd.conf
# Use system logger.
LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
LogFacility LOG_MAIL

# This option allows you to save a process identifier of the listening
# daemon (main thread).
PidFile /var/run/clamd@rspamd/clamav.pid

# Remove stale socket after unclean shutdown.
# Default: disabled
FixStaleSocket yes

# Run as a selected user (clamd must be started by root).
User _rspamd

# Path to a local socket file the daemon will listen on.
LocalSocket /var/run/clamd@rspamd/clamav

#restrict permission
LocalSocketMode 770

stephdl · September 2, 2020, 4:31pm

Sorry I do not understand the issue, IIRC when the clamav socket is not available then we already softreject the email, except if the sender is know on the server (EG, a user is using the server smtp to send an email)

davidep · September 9, 2020, 1:25pm

I’m working on a new olefy RPM version. Would you like to test it?

http://packages.nethserver.org/nethserver/7.8.2003/autobuild/x86_64/Packages/olefy-1.1.0-1.3.pr3.gfdcef30.ns7.x86_64.rpm

No problems found since yesterday here…

i_combo · September 13, 2020, 5:56am

Thanks @davidep.
Anyway before that I just update Clam and. Kernel patches seems to detect OLE.

i_combo · September 13, 2020, 6:03am

And Today 20200913 12:59 GMT + 7. (Start from 1:49 GMT + 7)
I Found Spam attack Mail Server (See Pic). And I don’t know How to stop it.