Discussion:
Fake ACCEPT (ahem)
Marcin Krol
2007-08-23 09:35:40 UTC
Permalink
Hello,

OK, so as some of you may know, clamav now features filtering out
phishing and/or spam as well.

The problem is this generates rather unreadable reject messages:

SMTP error from remote mail server after end of data:
host mail.da4.promo.pl [83.149.102.11]: 550 Wirus (virus):
Email.Loan.Gen090.Sanesecurity.07061800

So from POV of SMTP client it all gets classified as virus (not nice), plus the message has to be short, because Outlook Express breaks on 5xx error with multiple lines - Outlook acts precisely as if the message were accepted for delivery, so obviously the user is totally mislead.

I would like to send this message to /dev/null. But I can't do "accept" in ACL, because message will be locally delivered. I can't do "deny" either, because it will generate 5xx every time it is found.

Is there a way to fake accept of this message, i.e. say 2xx to client
side, but silently discard the message on server side (optionally with
logging)?
--
Marcin Król
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Dave Evans
2007-08-23 09:47:17 UTC
Permalink
Post by Marcin Krol
Hello,
OK, so as some of you may know, clamav now features filtering out
phishing and/or spam as well.
Email.Loan.Gen090.Sanesecurity.07061800
Is there a way to fake accept of this message, i.e. say 2xx to client
side, but silently discard the message on server side (optionally with
logging)?
Well yes... you could set an acl_ variable then route to :blackhole: for
example if that variable was set.

But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
--
Dave Evans
Power Internet Limited, registered in England #03053650 at Norfolk House,
82 Saxon Gate West, Central Milton Keynes, Buckinghamshire, MK9 2DL.
For more information, see http://www.powernet.co.uk/~davide/about-powernet
Jan-Piet Mens
2007-08-23 09:52:27 UTC
Permalink
Post by Dave Evans
But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
No! That causes collateral spam! Think faked sender...

-JP
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Dave Evans
2007-08-23 10:13:52 UTC
Permalink
Post by Jan-Piet Mens
Post by Dave Evans
But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
No! That causes collateral spam! Think faked sender...
My point exactly. Note, I didn't say "tell <$sender_address>", I said "the
sender" - i.e. reject.
--
Dave Evans
Power Internet Limited, registered in England #03053650 at Norfolk House,
82 Saxon Gate West, Central Milton Keynes, Buckinghamshire, MK9 2DL.
For more information, see http://www.powernet.co.uk/~davide/about-powernet
John Hall
2007-08-23 10:13:02 UTC
Permalink
Post by Jan-Piet Mens
Post by Dave Evans
But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
No! That causes collateral spam! Think faked sender...
Not if you're rejecting during the SMTP transaction, which is I think
what was being discussed originally.

John
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Marcin Krol
2007-08-23 10:37:57 UTC
Permalink
Post by John Hall
Post by Jan-Piet Mens
Post by Dave Evans
But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
No! That causes collateral spam! Think faked sender...
Not if you're rejecting during the SMTP transaction, which is I think
what was being discussed originally.
Correct, *but the default clamav message saying so is unreadable*.
Default clamav reject message is not customizable very much, not enough
to make it vary and indicate CLEARLY AND IN BIG LETTERS it was phishing
/ it was spam (clamav used to filter out only viruses so it was not a
problem).

So I need to replace it.

So I need to blackhole the message myself (do accept, not deny) and
generate another message myself and send it during SMTP time with 5xx code.

This is complicated, nevertheless, this is an optimum solution which I seek.
--
Marcin Król
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Mike Cardwell
2007-08-23 10:56:20 UTC
Permalink
Post by Marcin Krol
Post by John Hall
Post by Jan-Piet Mens
Post by Dave Evans
But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
No! That causes collateral spam! Think faked sender...
Not if you're rejecting during the SMTP transaction, which is I think
what was being discussed originally.
Correct, *but the default clamav message saying so is unreadable*.
Default clamav reject message is not customizable very much, not enough
to make it vary and indicate CLEARLY AND IN BIG LETTERS it was phishing
/ it was spam (clamav used to filter out only viruses so it was not a
problem).
So I need to replace it.
So I need to blackhole the message myself (do accept, not deny) and
generate another message myself and send it during SMTP time with 5xx code.
This is complicated, nevertheless, this is an optimum solution which I seek.
You're getting the terminology wrong, which is confusing matters. What
you *want* to do is reject during SMTP, and send a rejection message
depending on which signature is matched. You can do this with something
along these lines:

deny malware = *
message = ${if match{$malware_name}\
{\N\.Sanesecurity\.\N}\
{Blocked Phishing attempt}\
{Blocked Virus}\
}

That will return "550 Blocked Phishing attempt" if it's a Sanesecurity
signature, and "550 Blocked Virus" otherwise. I don't know if the logic
of: ".Sanesecurity." is phishing and everything else is a virus, is
correct; but the config snippet is a good representation of what you
want to do.

Mike
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Michael Sprague
2007-08-23 13:09:33 UTC
Permalink
Post by Mike Cardwell
Post by Marcin Krol
Post by John Hall
Post by Jan-Piet Mens
Post by Dave Evans
But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
No! That causes collateral spam! Think faked sender...
Not if you're rejecting during the SMTP transaction, which is I think
what was being discussed originally.
Correct, *but the default clamav message saying so is unreadable*.
Default clamav reject message is not customizable very much, not enough
to make it vary and indicate CLEARLY AND IN BIG LETTERS it was phishing
/ it was spam (clamav used to filter out only viruses so it was not a
problem).
So I need to replace it.
So I need to blackhole the message myself (do accept, not deny) and
generate another message myself and send it during SMTP time with 5xx code.
This is complicated, nevertheless, this is an optimum solution which I seek.
You're getting the terminology wrong, which is confusing matters. What
you *want* to do is reject during SMTP, and send a rejection message
depending on which signature is matched. You can do this with something
deny malware = *
message = ${if match{$malware_name}\
{\N\.Sanesecurity\.\N}\
{Blocked Phishing attempt}\
{Blocked Virus}\
}
That will return "550 Blocked Phishing attempt" if it's a Sanesecurity
signature, and "550 Blocked Virus" otherwise. I don't know if the logic
of: ".Sanesecurity." is phishing and everything else is a virus, is
correct; but the config snippet is a good representation of what you
want to do.
I do something similar and parse out the 'type' of malware based on the
$malware_name. Sanesecurity classifies things based on name. The URL
below is the page the explains the different types they use:

http://www.sanesecurity.com/clamav/docs.htm

mikeS
--
Michael F. Sprague | ***@saneinc.net
http://www.saneinc.net | System and Network Engineering (SaNE), Inc
Providers of the SpamOnion anti-spam service
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Marc Perkel
2007-08-23 13:17:01 UTC
Permalink
Post by Michael Sprague
Post by Mike Cardwell
Post by Marcin Krol
Post by John Hall
Post by Jan-Piet Mens
Post by Dave Evans
But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
No! That causes collateral spam! Think faked sender...
Not if you're rejecting during the SMTP transaction, which is I think
what was being discussed originally.
Correct, *but the default clamav message saying so is unreadable*.
Default clamav reject message is not customizable very much, not enough
to make it vary and indicate CLEARLY AND IN BIG LETTERS it was phishing
/ it was spam (clamav used to filter out only viruses so it was not a
problem).
So I need to replace it.
So I need to blackhole the message myself (do accept, not deny) and
generate another message myself and send it during SMTP time with 5xx code.
This is complicated, nevertheless, this is an optimum solution which I seek.
You're getting the terminology wrong, which is confusing matters. What
you *want* to do is reject during SMTP, and send a rejection message
depending on which signature is matched. You can do this with something
deny malware = *
message = ${if match{$malware_name}\
{\N\.Sanesecurity\.\N}\
{Blocked Phishing attempt}\
{Blocked Virus}\
}
That will return "550 Blocked Phishing attempt" if it's a Sanesecurity
signature, and "550 Blocked Virus" otherwise. I don't know if the logic
of: ".Sanesecurity." is phishing and everything else is a virus, is
correct; but the config snippet is a good representation of what you
want to do.
I do something similar and parse out the 'type' of malware based on the
$malware_name. Sanesecurity classifies things based on name. The URL
http://www.sanesecurity.com/clamav/docs.htm
mikeS
You know - one could take that list and do a lookup to grab the right
error ......

hmmmmmmmm
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Dave Evans
2007-08-23 10:55:45 UTC
Permalink
Post by Marcin Krol
Post by John Hall
Not if you're rejecting during the SMTP transaction, which is I think
what was being discussed originally.
Correct, *but the default clamav message saying so is unreadable*.
So I need to blackhole the message myself (do accept, not deny) and
generate another message myself and send it during SMTP time with 5xx code.
I thought that's probably what you were getting at.

This is fine, but ONLY if you send the message to the correct person, which is
usually NOT <$sender_address>. Alas in most environments you won't know who
to send it to!

Do NOT automatically send messages to <$sender_address>! If you do so, you're
part of the problem. If you send messages to <$sender_address>, it won't
matter how readable you make it - the recipients won't appreciate receiving
unsolicited garbage mail from you.
--
Dave Evans
Power Internet Limited, registered in England #03053650 at Norfolk House,
82 Saxon Gate West, Central Milton Keynes, Buckinghamshire, MK9 2DL.
For more information, see http://www.powernet.co.uk/~davide/about-powernet
Marcin Krol
2007-08-23 11:07:25 UTC
Permalink
Post by Dave Evans
This is fine, but ONLY if you send the message to the correct person, which is
usually NOT <$sender_address>. Alas in most environments you won't know who
to send it to!
Do NOT automatically send messages to <$sender_address>!
Well of course that would generate mostly backscatter (or "collateral
spam" if that's the correct term for this trick used by spammers). I
meant SMTP time which should be safe regarding no backscatter.
--
Marcin Król
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Dave Evans
2007-08-23 12:14:18 UTC
Permalink
Post by Marcin Krol
Post by Dave Evans
This is fine, but ONLY if you send the message to the correct person, which is
usually NOT <$sender_address>. Alas in most environments you won't know who
to send it to!
Do NOT automatically send messages to <$sender_address>!
Well of course that would generate mostly backscatter (or "collateral
spam" if that's the correct term for this trick used by spammers). I
meant SMTP time which should be safe regarding no backscatter.
So I need to blackhole the message myself (do accept, not deny) and
generate another message myself and send it during SMTP time with 5xx code.
Oh, now I see the confusion. You've said both that you want to accept the
message, and also that you want to reply at SMTP time with a 5xx code - which
are of course mutually exclusive goals.

Well as long as you don't generate backscatter I'm sure whatever you pick will
be fine :-)
--
Dave Evans
Power Internet Limited, registered in England #03053650 at Norfolk House,
82 Saxon Gate West, Central Milton Keynes, Buckinghamshire, MK9 2DL.
For more information, see http://www.powernet.co.uk/~davide/about-powernet
Ian Eiloart
2007-08-24 16:03:55 UTC
Permalink
--On 23 August 2007 11:55:45 +0100 Dave Evans
Post by Dave Evans
Post by Marcin Krol
Post by John Hall
Not if you're rejecting during the SMTP transaction, which is I think
what was being discussed originally.
Correct, *but the default clamav message saying so is unreadable*.
So I need to blackhole the message myself (do accept, not deny) and
generate another message myself and send it during SMTP time with 5xx code.
I thought that's probably what you were getting at.
This is fine, but ONLY if you send the message to the correct person,
No, he means that he wants to generate an alternative rejection message -
an SMTP response, not an email.

use "message = "in the ACL
--
Ian Eiloart
IT Services, University of Sussex
x3148
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Marc Perkel
2007-08-23 13:09:08 UTC
Permalink
Post by Marcin Krol
Post by John Hall
Post by Jan-Piet Mens
Post by Dave Evans
But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
No! That causes collateral spam! Think faked sender...
Not if you're rejecting during the SMTP transaction, which is I think
what was being discussed originally.
Correct, *but the default clamav message saying so is unreadable*.
Default clamav reject message is not customizable very much, not enough
to make it vary and indicate CLEARLY AND IN BIG LETTERS it was phishing
/ it was spam (clamav used to filter out only viruses so it was not a
problem).
So I need to replace it.
So I need to blackhole the message myself (do accept, not deny) and
generate another message myself and send it during SMTP time with 5xx code.
This is complicated, nevertheless, this is an optimum solution which I seek.
He brings up an interesting idea that I think I'm going to look into.
Clam originally caught viruses and then was extended to phishing and
spam. Yet I and probably most of you return a "malware" message for
everything.

I'm thinking about running Clam in a wan ACL and then parse the message
to give a more descriptive error based on what was caught.
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Mike Cardwell
2007-08-23 10:19:04 UTC
Permalink
Post by Jan-Piet Mens
Post by Dave Evans
But why would you want to accept and silently discard mail? If the mail
contains a virus, don't you think it's better that the sender is told so?
No! That causes collateral spam! Think faked sender...
No it doesn't. Not if you reject during SMTP. Collateral spam is
generated when you accept a message and then generate a bounce.

What the original author of this thread is looking for here is
fakereject. If you do this:

"accept control = fakereject"

Then the message will look to the sender as though it has been accepted,
but instead of hitting the routers it will just disappear into a blackhole.

I don't get why you want to "/dev/null" the message though...? If you
don't like the way the 550 error message looks just change it, eg:

deny malware = *
message = Malware attached

Would return "550 Malware attached"

MikeC
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Mike Cardwell
2007-08-23 10:22:05 UTC
Permalink
Post by Mike Cardwell
What the original author of this thread is looking for here is
"accept control = fakereject"
Then the message will look to the sender as though it has been accepted,
but instead of hitting the routers it will just disappear into a blackhole.
Ignore the above. I was talking rubbish. Don't ignore the below though.
Post by Mike Cardwell
I don't get why you want to "/dev/null" the message though...? If you
deny malware = *
message = Malware attached
Would return "550 Malware attached"
Mike
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Marc Perkel
2007-08-23 13:03:10 UTC
Permalink
Post by Marcin Krol
Hello,
OK, so as some of you may know, clamav now features filtering out
phishing and/or spam as well.
Email.Loan.Gen090.Sanesecurity.07061800
So from POV of SMTP client it all gets classified as virus (not nice), plus the message has to be short, because Outlook Express breaks on 5xx error with multiple lines - Outlook acts precisely as if the message were accepted for delivery, so obviously the user is totally mislead.
I would like to send this message to /dev/null. But I can't do "accept" in ACL, because message will be locally delivered. I can't do "deny" either, because it will generate 5xx every time it is found.
Is there a way to fake accept of this message, i.e. say 2xx to client
side, but silently discard the message on server side (optionally with
logging)?
You could set an ACL variable and then test for the variavle in a filter
and do a "seen finish"

set acl_c_discard = yes


in the filter

if $acl_c_discard > ""
then
seen finish
endif
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Marc Perkel
2007-08-23 17:11:36 UTC
Permalink
Here's a little bit of a modification to the traditional way to use
ClamAV to give more meaningful rejection messages

warn malware = */defer_ok
set acl_c_clam_message = ${lc:$malware_name}

drop condition = ${if
match{$acl_c_clam_message}{trojan|worm}{true}{false}}
message = CLAMAV - Contains a VIRUS ($malware_name)

drop condition = ${if match{$acl_c_clam_message}{spam}{true}{false}}
message = CLAMAV - Message is Spam ($malware_name)

drop condition = ${if match{$acl_c_clam_message}{images}{true}{false}}
message = CLAMAV - Contains Image Spam ($malware_name)

drop condition = ${if match{$acl_c_clam_message}{phishing}{true}{false}}
message = CLAMAV - Message is a PHISHING SCAM ($malware_name)

discard condition = ${if
match{$acl_c_clam_message}{bounceback|blowback}{true}{false}}
logwrite = DISCARDED - CLAMAV - bounceback - ($malware_name) -
$acl_c_information

drop condition = ${if def:acl_c_clam_message}
message = CLAMAV - Misc Spam ($malware_name)
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Loading...