block Malware
# vi /etc/postfix/header_checks
/^Subject:/ WARN
/^User-Agent:/ IGNORE
/^From:.*<#.*@.*>/ REJECT
/^Return-Path:.*<#.*@.*>/ REJECT
/^Received: from 127.0.0.1/ IGNORE
/^Subject:/ WARN /^To:/ WARN /^From:/ WARN
/^Received: from 127.0.0.1/ IGNORE
/^User-Agent:/ IGNORE
/^Received:.*with ESMTPSA/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/E-mail Storage Limit Exhausted/ REJECT
/Your email account was recently logged into from another computer/ REJECT
/Update Mail From Admin Server/ REJECT
/Urgent Mail From Server/ REJECT
/mailbox will be terminated after 24 hours/ REJECT
/hot g!rl want you!/ REJECT
/Your E-mail Account storage capacity is low/ REJECT
/The part-time employment/ REJECT
/Rapid-Acting Supplement For Outstanding Results/ REJECT
/Mail From Admin Server/ REJECT
/Urgent Mail From Server/ REJECT
/Your E-mail De-activation/ REJECT
#/invoice/ REJECT -----Subject/file attachment types not allowed [invoice]
#/scan/ REJECT -----Subject/file attachment types not allowed [scan]
#/PAYMENT/ REJECT -----Subject/file attachment types not allowed [Payment]
/my new photo/ REJECT
/Your mailbox is almost full/ REJECT
/account has been Blocked due to system error/ REJECT
/mailbox will be terminated after 24 hours/ REJECT
/Mailbox Will Be Suspended!/ REJECT
/Your Account Will Be Blocked!/ REJECT
/WILL LOSE YOUR EMAIL ADDRESS/ REJECT
/add more MB to your mailbox/ REJECT
/Account will be Suspended soon/ REJECT
/UPGRADE IS FREE OFF CHARGE/ REJECT
/Validate Your Webmail Account/ REJECT
/incoming important 'Message' blocked/ REJECT
/Your account has been renewed/ REJECT
/Minimum Top-up Deposit Now/ REJECT
/Hello!/ REJECT
/Bank of America/ REDIRECT junk.mail@worldcm.net
/Money transfer details/ REDIRECT junk.mail@worldcm.net
/PAYMENT CONFIRMATION/ REDIRECT junk.mail@worldcm.net
/New payment details and address update/ REDIRECT junk.mail@worldcm.net
/URGENT! PI unconfirmed issue/ REDIRECT junk.mail@worldcm.net
/almost reached their disk quota/ REDIRECT junk.mail@worldcm.net
/Payment status/ REDIRECT junk.mail@worldcm.net
# vi /etc/postfix/main.cf
-----
mime_header_checks = regexp:/etc/postfix/block_attachments
[root@mail ~]# vim /etc/postfix/block_attachments /name=[^>]*\.(dll|afx|ini|dat|wdx|ade|adp|app|bas|bat|chm|cmd|cpl|crt|csh|exe |fxp|hlp|hta|inf|ins|isp|js|jse|ksh|Lnk|mda|mdb|mde|mdt|mdt|mdw |mdz|msc|msi|msp|mst|ops|pcd|pif|prf|prg|pst|reg|scf|scr|sct|shb |shs|url|vb|vbe|vbs|wsc|wsf|wsh)/ REJECT ".$1" filetype not allowed
# vi /etc/postfix/body_checks
# Skip pflogsumm report lines
/^ {6,11}\d{1,6}[ km] / OK
/^ {4}blocked using / OK
/^begin\s+\d+\s+.+?\.(386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|com|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xl.|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$1" Body filetype not allowed
/<\s*(object\s+data)\s*=/ REJECT Email with "$1" tags not allowed
/<\s*(script\s+language\s*="vbs")/ REJECT Email with "$1" tags not allowed
/<\s*(script\s+language\s*="VBScript\.Encode")/ REJECT Email with "$1" tags not allowed
Postfix mail server block Malware with blacklist
--
It will be a nice idea to block malware spreading URLs and website. Setting up a malware blacklist in Postfix MTA is quite easy. The Malware Block List is a free, automated and user contributed system for checking URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware.
Create a blacklist
First you need to create a blacklist, type the following command:
# wget -O - 'https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix' > /etc/postfix/mbl-body-deny
Where receipt= should be followed by your personal Malwarepatrol id once registered. Do not use f1391767429. This is for demo purpose only.
Configure Postfix
Open postfix main.cf config file, run:
# vi /etc/postfix/main.cf
Setup postfix body_check directive as follows:
body_checks = regexp:/etc/postfix/mbl-body-deny
Save and close the file.
Restart Postfix
Now just restart the postfix daemon:
# postmap /etc/postfix/mbl-body-deny
# systemctl restart postfix
# /etc/init.d/postfix restart
Automate procedure
mkdir scripts /root/Documents/
touch /root/Documents/scripts/fetch.postfixmalware.sh
chmod 755 /root/Documents/scripts/fetch.postfixmalware.sh
You need to setup a cron job to automate entire procedure. Create a shell script as follows:
vi /root/Documents/scripts/fetch.postfixmalware.sh
#!/bin/bash# Script to update malware urls# Author: Vivek Gite <www.cyberciti.biz> under GPL v2.x+# ---------------# Set https://malwarepatrol.net/ ID here (it is free)myid=""[[ ! -z "$myid" ]] && echo "Using $myid..." || { echo "Error: Please correct set \"$myid\"."; exit 1; }/usr/bin/wget -O - "https://lists.malwarepatrol.net/cgi/getfile?receipt=${myid}&product=8&list=postfix" > /etc/postfix/mbl-body-deny /usr/sbin/postmap /etc/postfix/mbl-body-deny /etc/init.d/postfix reload
Add cronjob as follows:
40 23 * * * /etc/admin/scripts/fetch.postfixmalware.sh >/dev/null 2>&1
40 23 * * * /root/Documents/scripts/fetch.postfixmalware.sh >/dev/null 2>&1
You may wan to combine this feature with mime attachments blocking and anti spam blacklist for the best result.
---