Anti spam

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
We're getting slammed with spam with attachments that contain variants of the Cryptolocker. Somebody somewhere must have clicked something in an email and now its a constant onslaught. Users have been briefed not to open these attachments, but at this point we need it to stop. Cant have someone accidentally clicking one of these things and additionally its annoying as shit to have your phone constantly going off.

I run pfsense here and the postfix/mailscanner just isn't cutting it. I have pfblocker installed blocking the top spamming countries as well as 12 or so customer lists of known spam IP's.

mailscanner isn't catching it because it runs off clamav. Clam AV is not detecting these as viruses while all other major AV's are flagging it.

I haven't looked at Untangle in a long time and they seem to have changed their packaging scheme. What I do remember though is that their "free" system back then also used ClamAV. So I'm not so sure that anything that uses ClamAV as the AV engine is going to work.

I even uploaded one of the viruses to my webserver at home and downloaded it through the HTTP virus scanner on pfsense and it passes right though. Workstation AV catches it, but it goes right though the AV scanner.

What are you guys using? What can you suggest?

Thanks.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
Looking at Barracuda they claim their anti-spam is completed via IP lists.

I have a hard time believing their lists are more comprehensive than the community generated/maintained lists I'm currently using in pfblocker. There is no mention of what underlying AV software they use, unless its custom.
 

dave99

2[H]4U
Joined
Jan 20, 2011
Messages
2,129
Are you allowing executables as attachments? There shouldn't be a way to 'accidentally' click on cryptolocker, strip it out in mailscanner.

I had a client suffer kind of the same thing a couple months ago, basically a spam DOS attack. I had to take out his fortigate firewall and drop in a pfsense box so I could do use pfblocker. Basically walled off the rest of the world was the only way to get his DSL connection usable again.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
The attachment comes through as a zip. An executable is inside. I cant not allow zips. Using IP lookups I'm finding that a lot of the spam is coming from inside the US. I cant block that country! hah.
 

dave99

2[H]4U
Joined
Jan 20, 2011
Messages
2,129
It can still look inside zips, I allow those also, but if it has an executable in the zip, or is a password protected zip it gets blocked.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
It can still look inside zips, I allow those also, but if it has an executable in the zip, or is a password protected zip it gets blocked.

I must be doing something wrong in my config. Care to share yours?
 

dave99

2[H]4U
Joined
Jan 20, 2011
Messages
2,129
I think most of mine is default. The ones to look for are probably:
Maximum Archive Depth = 8
Find Archives By Content = yes
Allow Password-Protected Archives = no
Filetype Rules = %etc-dir%/filetype.rules.conf

Here is the whole mailscanner.conf
http://pastebin.com/SuWx7rkb

then in filetype.rules.conf make sure you have:
deny executable No executables No programs allowed

and in filename.rules.conf
deny \.com$ Windows/DOS Executable
deny \.exe$ Windows/DOS Executable

plus a whole lot of others should be in there by default.

edit: this one is probably important also
Dangerous Content Scanning = %rules-dir%/content.scanning.rules

maybe that is set to no? My content.scanning.rules file exists, but is blank, so I'm guessing that is equivalent to yes.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
are you running your own mail server? If so take look at this setup: http://www.wizcrafts.net/chinese-iptables-blocklist.html I have done this to my own mail server and it stop all the spam and I also added Barracuda anti spam/virus to the setup and it slowed all the spam to stop.

Currently usig these lists:
100904 CIDR's

http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
http://list.iblocklist.com/?list=tor&fileformat=p2p
http://list.iblocklist.com/?list=bt_hijacked&fileformat=p2p
http://list.iblocklist.com/?list=bt_dshield&fileformat=p2p
http://list.iblocklist.com/?list=tor&fileformat=p2p
http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p
http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p
http://list.iblocklist.com/?list=tbnuqfclfkemqivekikv&fileformat=p2p
http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p
http://list.iblocklist.com/?list=tor&fileformat=p2p
http://list.iblocklist.com/?list=npkuuhuxcsllnhoamkvm&fileformat=p2p
http://list.iblocklist.com/?list=pbqcylkejciyhmwttify&fileformat=p2p
http://list.iblocklist.com/?list=ynkdjqsjyfmilsgbogqf&fileformat=p2p
http://list.iblocklist.com/?list=zvjxsfuvdhoxktpeiokq&fileformat=p2p
http://list.iblocklist.com/?list=erqajhwrxiuvjxqrrwfj&fileformat=p2p
http://list.iblocklist.com/?list=tor&fileformat=p2p
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
http://list.iblocklist.com/?list=tor&fileformat=p2p
http://list.iblocklist.com/?list=bt_templist&fileformat=p2p
http://list.iblocklist.com/?list=tor&fileformat=p2p
http://www.ciarmy.com/list/ci-badguys.txt

Keep in mind that the Emerging Threats lists are from rules in Snort. Its recommended to disable those snort rules and to use the lists instead in pfblocker.

EDIT: with your list I'm blocking another 889
 
Last edited:
Top