Locky: Absendedomain filtern (solved!)

Dieses Forum ist für alle Copfilter v2 support Anfragen in Deutsch. (IPCop version 2)

Locky: Absendedomain filtern (solved!)

Postby cjmatsel » 08 Mar 2016 07:32

Hi und Guten morgen,

ich stelle fest dass viele Locky-Mails bei uns durch kommen und das "DATA-FROM"-Feld eine interne aber ungültige Mailadresse darstellt. Könnte man im ProxSMTP solche Mails einfach ausfiltern? Ich stelle mir vor ich nehme die Domainlist im Copfilter-ProxSMTP und alle Mails welche im DATA-FROM eine der Domains beinhalten werden geblockt, wenn die sendende IP-Adresse nicht der interne Mailserver ist. Wie seht ihr das? Anbei mal eine Beispiel-Mail:
Code: Select all
220 mailserver.local ESMTP MAIL Service ready at Tue, 8 Mar 2016 06:25:45 +0100

HELO computername
250 mailserver.local Hello [192.168.90.2]

MAIL From:<beliebig@domain.de>
250 2.1.0 Sender OK

RCPT To:<ziel@domain.de>
250 2.1.5 Recipient OK

DATA
354 Start mail input; end with <CRLF>.<CRLF>
From: "Donld Duck" <donald.duck@entenhausen.de>
To: "Micky Maus" <micky.maus@entenhausen.de>
Subject: test von CJ

test von CJ mit Virus

.
250 2.6.0 <48ea83bd-98d1-422c-9ba3-43a766e4be0e@mailserver.local> [InternalId=1051196] Queued mail for delivery

RSET
250 2.0.0 Resetting

QUIT
221 2.0.0 Service closing transmission channel


cu,
cjmatsel
Last edited by cjmatsel on 22 Mar 2016 11:58, edited 1 time in total.
cjmatsel
 
Posts: 46
Joined: 05 Jan 2010 18:16

Re: Locky: Absendedomain filtern

Postby ShelbyGT500 » 13 Mar 2016 19:51

Hi,

Personnaly, i'm blocking theses mail with special rules for Spamassassin, to block messages with suspicious content (zip, pdf, .doc...) and suspicouis sender or body.

Regards.

ShelbyGT500
ShelbyGT500
 
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Locky: Absendedomain filtern

Postby cjmatsel » 14 Mar 2016 13:44

how do you know who is "suspicious sender"? This is an estimated value...

I want to block all sender if the server is not mine AND the domain is mine, and so on. (sorry for my english; Do you understand me?)
cjmatsel
 
Posts: 46
Joined: 05 Jan 2010 18:16

Re: Locky: Absendedomain filtern

Postby ShelbyGT500 » 14 Mar 2016 22:37

Hi,

cjmatsel wrote:how do you know who is "suspicious sender"?
I've generic rules. Theses mails are always the same: attachment + typical keywords ( for example "Bank of america", "see attachment" ...)
But sometimes it is not blocked. Then, I add the new rules after receiving a first suspicious mail.

cjmatsel wrote:I want to block all sender if the server is not mine AND the domain is mine, and so on
OK. I understand. I'm going to search ;)

Regards.

ShelbyGT500
ShelbyGT500
 
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Locky: Absendedomain filtern

Postby cjmatsel » 18 Mar 2016 13:22

Hi shelbyGT500,
Do you have news?
cjmatsel
 
Posts: 46
Joined: 05 Jan 2010 18:16

Re: Locky: Absendedomain filtern

Postby ShelbyGT500 » 18 Mar 2016 21:22

Hi,

cjmatsel wrote:Do you have news?
:D No...
Note that I have a few things to do, between 2 comments on the forum :D
(I also have a job and a family :D )

Regards.

ShelbyGT500
ShelbyGT500
 
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Locky: Absendedomain filtern

Postby ShelbyGT500 » 20 Mar 2016 23:10

Hi cjmatsel,

cjmatsel wrote:I want to block all sender if the server is not mine AND the domain is mine, and so on
Have a try with this: I think it should work with adding theses simple rules for spamassassin:

Add this lines in /var/log/copfilter/default/opt/mail-spamassassin/etc/mail/spamassassin/local.cf
Code: Select all
##### FILTER MY DOMAIN
include updates_spamassassin/my_domain_rules.cf

Create a new file "my_domain_rules.cf" in /var/log/copfilter/default/opt/mail-spamassassin/3.4.0/share/spamassassin
Add this (for example, to modify with your domain name)
Code: Select all
########" SERVER MYDOMAIN RULES
#
#
#
#### CHECK IF SENDER IS COMING FROM MY_DOMAIN
header YOUR_DOMAIN_SENDER  FROM =~ /yourdomain\.de/i
describe YOUR_DOMAIN_SENDER  Sender is from yourdomain.de, suspicious (!!!)
score YOUR_DOMAIN_SENDER 100.0

#### CHECK IF MY SERVER IS USED
header YOUR_DOMAIN Received =~ /yourdomain\.de/i
describe YOUR_DOMAIN Relayed with yourdomain.de, safe
score YOUR_DOMAIN -100.0

Then type in shell
Code: Select all
/var/log/copfilter/default/opt/mail-spamassassin/default/bin/spamassassin --lint
to check everything is OK.If it is, then restart spamassassin.

The first rule check if the sender is from your domain. Spamassassin score is + 100.
The second rule check if your server is used. Spamassassin score is -100
If it is the case, -100+100= 0, no spam for theses two rules, mail is safe

Regards.

ShelbyGT500
ShelbyGT500
 
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Locky: Absendedomain filtern

Postby benscha » 21 Mar 2016 16:12

Hi ShelbyGT500

this Rule looks pretty cool! how can i expand this rule when we use more than one mail domains?

thx for a short feedback


benscha
benscha
 
Posts: 29
Joined: 21 Jan 2014 11:52

Re: Locky: Absendedomain filtern

Postby cjmatsel » 21 Mar 2016 18:06

Hi,
nice feature! Thanks! But why do you not use the "SMTP_DOMAIN" from copfilter_smtp.cgi instead?
;)

edit: I have these warning below:
Code: Select all
Mar 21 17:07:44.671 [32165] warn: config: SpamAssassin failed to parse line, "YOUR_DOMAIN_SENDER +100.0" is not valid for "score", skipping: score YOUR_DOMAIN_SENDER +100.0
Mar 21 17:07:50.361 [32165] warn: lint: 1 issues detected, please rerun with debug enabled for more information
cjmatsel
 
Posts: 46
Joined: 05 Jan 2010 18:16

Re: Locky: Absendedomain filtern

Postby ShelbyGT500 » 21 Mar 2016 23:30

Hi ,
cjmatsel wrote:
Code: Select all
Mar 21 17:07:44.671 [32165] warn: config: SpamAssassin failed to parse line, "YOUR_DOMAIN_SENDER +100.0" is not valid for "score", skipping: score YOUR_DOMAIN_SENDER +100.0
    Mar 21 17:07:50.361 [32165] warn: lint: 1 issues detected, please rerun with debug enabled for more information
Replace +100.0 with 100.0 (without "+").

benscha wrote:how can i expand this rule when we use more than one mail domains?

Replace
Code: Select all
header YOUR_DOMAIN_SENDER  FROM =~ /yourdomain\.de/i
with
Code: Select all
header YOUR_DOMAIN_SENDER  FROM =~ /yourdomain\.de|yourdomain2\.de|yourdomaine3\.de/i

and the same for
Code: Select all
header YOUR_DOMAIN Received =~ /yourdomain\.de/i


Regards.

ShelbyGT500
ShelbyGT500
 
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Next

Return to German Copfilter v2 Support

Who is online

Users browsing this forum: No registered users and 2 guests

cron