Aug 5, 2024: iRedMail-1.7.1 has been released.

**blademike** · 2016-12-25 22:22:49

blademike
Member
Offline

Registered: 2016-12-25
Posts: 7

Topic: Ransomware email not blocked/detected by Amavis

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: centos-release-6-5.el6.centos.11.1.x86_64
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue: /var/log/maillog
====

Hi,

After completing these:
1. http://sanesecurity.com/
2. https://github.com/extremeshok/clamav-unofficial-sigs

I sent an email containing the ransomware .zip file but it wasn't detected/blocked.

Below is the content of the log:

Dec 25 09:50:25 mail postfix/smtpd[2772]: connect from mail.test.com[127.0.0.1]
Dec 25 09:50:25 mail postfix/smtpd[2772]: DF683411E6: client=mail.test.com[127.0.0.1]
Dec 25 09:50:25 mail postfix/cleanup[2760]: DF683411E6: message-id=<67f60c1f205de391710bd9e0fc46a373@test.com>
Dec 25 09:50:25 mail postfix/qmgr[1303]: DF683411E6: from=<mac@test.com>, size=4626, nrcpt=1 (queue active)
Dec 25 09:50:25 mail postfix/smtpd[2772]: disconnect from mail.test.com[127.0.0.1]
Dec 25 09:50:25 mail amavis[1352]: (01352-02) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:41427 -> , Message-ID: , mail_id: 2nDK3TMlIeJw, Hits: -, size: 3553, queued_as: DF683411E6, dkim_new=dkim:test.com, 851 ms
Dec 25 09:50:25 mail postfix/smtp[2765]: CA9CC411C2: to=<mac@test.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.2, delays=0.19/0.12/0/0.87, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as DF683411E6)
Dec 25 09:50:25 mail postfix/qmgr[1303]: CA9CC411C2: removed
Dec 25 09:50:26 mail postfix/pipe[2774]: DF683411E6: to=<mac@test.com>, relay=dovecot, delay=0.13, delays=0.01/0.04/0/0.08, dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 25 09:50:26 mail postfix/qmgr[1303]: DF683411E6: removed

Kindly advise on this issue or suggestions on detecting ransomware emails.

Thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2016-12-25 22:27:30

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: Ransomware email not blocked/detected by Amavis

Turn on debug mode in Amavisd and try again, we need detailed debug log for troubleshooting.
http://www.iredmail.org/docs/debug.amavisd.html

**blademike** · 2016-12-25 22:33:26

blademike
Member
Offline

Registered: 2016-12-25
Posts: 7

Re: Ransomware email not blocked/detected by Amavis

Dec 25 10:25:03 mail amavis[3009]: starting. /usr/sbin/amavisd at mail.test.com amavisd-new-2.9.1 (20140627), Unicode aware, LANG="en_US.UTF-8"
Dec 25 10:25:03 mail amavis[3010]: Net::Server: Group Not Defined. Defaulting to EGID '496 496'
Dec 25 10:25:03 mail amavis[3010]: Net::Server: User Not Defined. Defaulting to EUID '496'
Dec 25 10:25:03 mail amavis[3010]: Module Amavis::Conf 2.321
Dec 25 10:25:03 mail amavis[3010]: Module Archive::Zip 1.30
Dec 25 10:25:03 mail amavis[3010]: Module BerkeleyDB 0.43
Dec 25 10:25:03 mail amavis[3010]: Module Compress::Raw::Zlib 2.021
Dec 25 10:25:03 mail amavis[3010]: Module Compress::Zlib 2.021
Dec 25 10:25:03 mail amavis[3010]: Module Crypt::OpenSSL::RSA 0.25
Dec 25 10:25:03 mail amavis[3010]: Module DBD::mysql 4.013
Dec 25 10:25:03 mail amavis[3010]: Module DBI 1.609
Dec 25 10:25:03 mail amavis[3010]: Module DB_File 1.82
Dec 25 10:25:03 mail amavis[3010]: Module Digest::MD5 2.39
Dec 25 10:25:03 mail amavis[3010]: Module Digest::SHA 5.47
Dec 25 10:25:03 mail amavis[3010]: Module Encode 2.35
Dec 25 10:25:03 mail amavis[3010]: Module File::Temp 0.22
Dec 25 10:25:03 mail amavis[3010]: Module IO::Socket::INET6 2.56
Dec 25 10:25:03 mail amavis[3010]: Module MIME::Entity 5.427
Dec 25 10:25:03 mail amavis[3010]: Module MIME::Parser 5.427
Dec 25 10:25:03 mail amavis[3010]: Module MIME::Tools 5.427
Dec 25 10:25:03 mail amavis[3010]: Module Mail::DKIM::Signer 0.37
Dec 25 10:25:03 mail amavis[3010]: Module Mail::DKIM::Verifier 0.37
Dec 25 10:25:03 mail amavis[3010]: Module Mail::Header 2.04
Dec 25 10:25:03 mail amavis[3010]: Module Mail::Internet 2.04
Dec 25 10:25:03 mail amavis[3010]: Module Mail::SPF v2.008
Dec 25 10:25:03 mail amavis[3010]: Module Mail::SpamAssassin 3.003001
Dec 25 10:25:03 mail amavis[3010]: Module Net::DNS 0.65
Dec 25 10:25:03 mail amavis[3010]: Module Net::Server 2.007
Dec 25 10:25:03 mail amavis[3010]: Module NetAddr::IP 4.027
Dec 25 10:25:03 mail amavis[3010]: Module Razor2::Client::Version 2.84
Dec 25 10:25:03 mail amavis[3010]: Module Scalar::Util 1.21
Dec 25 10:25:03 mail amavis[3010]: Module Socket 1.82
Dec 25 10:25:03 mail amavis[3010]: Module Socket6 0.23
Dec 25 10:25:03 mail amavis[3010]: Module Time::HiRes 1.9721
Dec 25 10:25:03 mail amavis[3010]: Module URI 1.40
Dec 25 10:25:03 mail amavis[3010]: Module Unix::Syslog 1.1
Dec 25 10:25:03 mail amavis[3010]: Amavis::ZMQ code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: Amavis::DB code loaded
Dec 25 10:25:03 mail amavis[3010]: SQL base code loaded
Dec 25 10:25:03 mail amavis[3010]: SQL::Log code loaded
Dec 25 10:25:03 mail amavis[3010]: SQL::Quarantine loaded
Dec 25 10:25:03 mail amavis[3010]: Lookup::SQL code loaded
Dec 25 10:25:03 mail amavis[3010]: Lookup::LDAP code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: AM.PDP-in proto code loaded
Dec 25 10:25:03 mail amavis[3010]: SMTP-in proto code loaded
Dec 25 10:25:03 mail amavis[3010]: Courier proto code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: SMTP-out proto code loaded
Dec 25 10:25:03 mail amavis[3010]: Pipe-out proto code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: BSMTP-out proto code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: Local-out proto code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: OS_Fingerprint code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: ANTI-VIRUS code loaded
Dec 25 10:25:03 mail amavis[3010]: ANTI-SPAM code loaded
Dec 25 10:25:03 mail amavis[3010]: ANTI-SPAM-EXT code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: ANTI-SPAM-C code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: ANTI-SPAM-SA code loaded
Dec 25 10:25:03 mail amavis[3010]: Unpackers code loaded
Dec 25 10:25:03 mail amavis[3010]: DKIM code loaded
Dec 25 10:25:03 mail amavis[3010]: Tools code NOT loaded
Dec 25 10:25:03 mail amavis[3010]: Found $file at /usr/bin/file
Dec 25 10:25:03 mail amavis[3010]: Found $altermime at /usr/bin/altermime
Dec 25 10:25:03 mail amavis[3010]: Internal decoder for .mail
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .F at /usr/bin/unfreeze
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .Z at /usr/bin/gzip -d
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .gz at /usr/bin/gzip -d
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .bz2 at /usr/bin/bzip2 -d
Dec 25 10:25:03 mail amavis[3010]: No ext program for .xz, tried: xzdec, xz -dc, unxz -c, xzcat
Dec 25 10:25:03 mail amavis[3010]: No ext program for .lzma, tried: lzmadec, xz -dc --format=lzma, lzma -dc, unlzma -c, lzcat, lzmadec
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .lrz at /usr/bin/lrzip -q -k -d -o -
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .lzo at /usr/bin/lzop -d
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .rpm at /usr/bin/rpm2cpio
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .cpio at /usr/bin/pax
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .tar at /usr/bin/pax
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .deb at /usr/bin/ar
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .rar at /usr/bin/unrar
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .arj at /usr/bin/unarj
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .arc at /usr/bin/nomarch
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .zoo at /usr/bin/unzoo
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .cab at /usr/bin/cabextract
Dec 25 10:25:03 mail amavis[3010]: Internal decoder for .tnef
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .zip at /usr/bin/7za
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .kmz at /usr/bin/7za
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .7z at /usr/bin/7za
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .xz at /usr/bin/7z
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .lzma at /usr/bin/7z
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .jar at /usr/bin/7z
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .swf at /usr/bin/7z
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .lha at /usr/bin/7z
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .iso at /usr/bin/7z
Dec 25 10:25:03 mail amavis[3010]: Found decoder for .exe at /usr/bin/unrar; /usr/bin/unarj
Dec 25 10:25:03 mail amavis[3010]: Using primary internal av scanner code for ClamAV-clamd
Dec 25 10:25:03 mail amavis[3010]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Dec 25 10:25:03 mail amavis[3010]: Deleting db files __db.004,snmp.db,nanny.db,__db.001,__db.003,__db.002 in /var/spool/amavisd/db
Dec 25 10:25:03 mail amavis[3010]: Creating db in /var/spool/amavisd/db/; BerkeleyDB 0.43, libdb 4.7
Dec 25 10:26:53 mail postfix/submission/smtpd[3032]: connect from mail.test.com[127.0.0.1]
Dec 25 10:26:53 mail postfix/submission/smtpd[3032]: setting up TLS connection from mail.test.com[127.0.0.1]
Dec 25 10:26:53 mail postfix/submission/smtpd[3032]: Anonymous TLS connection established from mail.test.com[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Dec 25 10:26:53 mail postfix/submission/smtpd[3032]: 8EA0A411EA: client=mail.test.com[127.0.0.1], sasl_method=LOGIN, sasl_username=mac@test.com
Dec 25 10:26:53 mail postfix/cleanup[3035]: 8EA0A411EA: message-id=<44ef971e3b5ab289810a830683411ccb@test.com>
Dec 25 10:26:53 mail postfix/qmgr[1303]: 8EA0A411EA: from=<mac@test.com>, size=3553, nrcpt=1 (queue active)
Dec 25 10:26:53 mail roundcube: <rjm7m4b8> User mac@test.com [192.168.1.34]; Message for mac@test.com; 250: 2.0.0 Ok: queued as 8EA0A411EA
Dec 25 10:26:53 mail amavis[3013]: (03013-01) (!)Decoding of p002 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: do_7zip: can't get a list of archive members: exit 2; Errors: 1
Dec 25 10:26:53 mail postfix/submission/smtpd[3032]: disconnect from mail.test.com[127.0.0.1]
Dec 25 10:26:54 mail postfix/smtpd[3048]: connect from mail.test.com[127.0.0.1]
Dec 25 10:26:54 mail postfix/smtpd[3048]: 2980E411EC: client=mail.test.com[127.0.0.1]
Dec 25 10:26:54 mail postfix/cleanup[3035]: 2980E411EC: message-id=<44ef971e3b5ab289810a830683411ccb@test.com>
Dec 25 10:26:54 mail postfix/qmgr[1303]: 2980E411EC: from=<mac@test.com>, size=4626, nrcpt=1 (queue active)
Dec 25 10:26:54 mail postfix/smtpd[3048]: disconnect from mail.test.com[127.0.0.1]
Dec 25 10:26:54 mail amavis[3013]: (03013-01) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:41587 -> , Message-ID: , mail_id: tBbP2Bx2vb70, Hits: -, size: 3553, queued_as: 2980E411EC, dkim_new=dkim:test.com, 486 ms
Dec 25 10:26:54 mail postfix/smtp[3040]: 8EA0A411EA: to=<mac@test.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.81, delays=0.22/0.07/0.01/0.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2980E411EC)
Dec 25 10:26:54 mail postfix/qmgr[1303]: 8EA0A411EA: removed
Dec 25 10:26:54 mail postfix/pipe[3049]: 2980E411EC: to=<mac@test.com>, relay=dovecot, delay=0.17, delays=0.03/0.04/0/0.11, dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 25 10:26:54 mail postfix/qmgr[1303]: 2980E411EC: removed

**blademike** · 2016-12-25 23:57:11

blademike
Member
Offline

Registered: 2016-12-25
Posts: 7

Re: Ransomware email not blocked/detected by Amavis

I re-sent the email but this time with the extracted .wsf ransomware script. Still, it didn't get blocked.

**ZhangHuangbin** · 2016-12-26 10:12:30

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: Ransomware email not blocked/detected by Amavis

blademike wrote:

Dec 25 10:26:53 mail amavis[3013]: (03013-01) (!)Decoding of p002 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: do_7zip: can't get a list of archive members: exit 2; Errors: 1

It cannot unzip the file.

blademike wrote:

I re-sent the email but this time with the extracted .wsf ransomware script. Still, it didn't get blocked.

Show us debug log please.

**blademike** · 2016-12-26 18:02:18

blademike
Member
Offline

Registered: 2016-12-25
Posts: 7

Re: Ransomware email not blocked/detected by Amavis

Sorry for the delay,

This is the debug log as requested:

Dec 26 16:27:36 mail amavis[1199]: starting. /usr/sbin/amavisd at mail.test.com amavisd-new-2.9.1 (20140627), Unicode aware, LANG="en_US.UTF-8"
Dec 26 16:27:37 mail amavis[1210]: Net::Server: Group Not Defined. Defaulting to EGID '496 496'
Dec 26 16:27:37 mail amavis[1210]: Net::Server: User Not Defined. Defaulting to EUID '496'
Dec 26 16:27:37 mail amavis[1210]: Module Amavis::Conf 2.321
Dec 26 16:27:37 mail amavis[1210]: Module Archive::Zip 1.30
Dec 26 16:27:37 mail amavis[1210]: Module BerkeleyDB 0.43
Dec 26 16:27:37 mail amavis[1210]: Module Compress::Raw::Zlib 2.021
Dec 26 16:27:37 mail amavis[1210]: Module Compress::Zlib 2.021
Dec 26 16:27:37 mail amavis[1210]: Module Crypt::OpenSSL::RSA 0.25
Dec 26 16:27:37 mail amavis[1210]: Module DBD::mysql 4.013
Dec 26 16:27:37 mail amavis[1210]: Module DBI 1.609
Dec 26 16:27:37 mail amavis[1210]: Module DB_File 1.82
Dec 26 16:27:37 mail amavis[1210]: Module Digest::MD5 2.39
Dec 26 16:27:37 mail amavis[1210]: Module Digest::SHA 5.47
Dec 26 16:27:37 mail amavis[1210]: Module Encode 2.35
Dec 26 16:27:37 mail amavis[1210]: Module File::Temp 0.22
Dec 26 16:27:37 mail amavis[1210]: Module IO::Socket::INET6 2.56
Dec 26 16:27:37 mail amavis[1210]: Module MIME::Entity 5.427
Dec 26 16:27:37 mail amavis[1210]: Module MIME::Parser 5.427
Dec 26 16:27:37 mail amavis[1210]: Module MIME::Tools 5.427
Dec 26 16:27:37 mail amavis[1210]: Module Mail::DKIM::Signer 0.37
Dec 26 16:27:37 mail amavis[1210]: Module Mail::DKIM::Verifier 0.37
Dec 26 16:27:37 mail amavis[1210]: Module Mail::Header 2.04
Dec 26 16:27:37 mail amavis[1210]: Module Mail::Internet 2.04
Dec 26 16:27:37 mail amavis[1210]: Module Mail::SPF v2.008
Dec 26 16:27:37 mail amavis[1210]: Module Mail::SpamAssassin 3.003001
Dec 26 16:27:37 mail amavis[1210]: Module Net::DNS 0.65
Dec 26 16:27:37 mail amavis[1210]: Module Net::Server 2.007
Dec 26 16:27:37 mail amavis[1210]: Module NetAddr::IP 4.027
Dec 26 16:27:37 mail amavis[1210]: Module Razor2::Client::Version 2.84
Dec 26 16:27:37 mail amavis[1210]: Module Scalar::Util 1.21
Dec 26 16:27:37 mail amavis[1210]: Module Socket 1.82
Dec 26 16:27:37 mail amavis[1210]: Module Socket6 0.23
Dec 26 16:27:37 mail amavis[1210]: Module Time::HiRes 1.9721
Dec 26 16:27:37 mail amavis[1210]: Module URI 1.40
Dec 26 16:27:37 mail amavis[1210]: Module Unix::Syslog 1.1
Dec 26 16:27:37 mail amavis[1210]: Amavis::ZMQ code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: Amavis::DB code loaded
Dec 26 16:27:37 mail amavis[1210]: SQL base code loaded
Dec 26 16:27:37 mail amavis[1210]: SQL::Log code loaded
Dec 26 16:27:37 mail amavis[1210]: SQL::Quarantine loaded
Dec 26 16:27:37 mail amavis[1210]: Lookup::SQL code loaded
Dec 26 16:27:37 mail amavis[1210]: Lookup::LDAP code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: AM.PDP-in proto code loaded
Dec 26 16:27:37 mail amavis[1210]: SMTP-in proto code loaded
Dec 26 16:27:37 mail amavis[1210]: Courier proto code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: SMTP-out proto code loaded
Dec 26 16:27:37 mail amavis[1210]: Pipe-out proto code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: BSMTP-out proto code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: Local-out proto code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: OS_Fingerprint code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: ANTI-VIRUS code loaded
Dec 26 16:27:37 mail amavis[1210]: ANTI-SPAM code loaded
Dec 26 16:27:37 mail amavis[1210]: ANTI-SPAM-EXT code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: ANTI-SPAM-C code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: ANTI-SPAM-SA code loaded
Dec 26 16:27:37 mail amavis[1210]: Unpackers code loaded
Dec 26 16:27:37 mail amavis[1210]: DKIM code loaded
Dec 26 16:27:37 mail amavis[1210]: Tools code NOT loaded
Dec 26 16:27:37 mail amavis[1210]: Found $file at /usr/bin/file
Dec 26 16:27:37 mail amavis[1210]: Found $altermime at /usr/bin/altermime
Dec 26 16:27:37 mail amavis[1210]: Internal decoder for .mail
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .F at /usr/bin/unfreeze
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .Z at /usr/bin/gzip -d
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .gz at /usr/bin/gzip -d
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .bz2 at /usr/bin/bzip2 -d
Dec 26 16:27:37 mail amavis[1210]: No ext program for .xz, tried: xzdec, xz -dc, unxz -c, xzcat
Dec 26 16:27:37 mail amavis[1210]: No ext program for .lzma, tried: lzmadec, xz -dc --format=lzma, lzma -dc, unlzma -c, lzcat, lzmadec
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .lrz at /usr/bin/lrzip -q -k -d -o -
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .lzo at /usr/bin/lzop -d
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .rpm at /usr/bin/rpm2cpio
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .cpio at /usr/bin/pax
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .tar at /usr/bin/pax
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .deb at /usr/bin/ar
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .rar at /usr/bin/unrar
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .arj at /usr/bin/unarj
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .arc at /usr/bin/nomarch
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .zoo at /usr/bin/unzoo
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .cab at /usr/bin/cabextract
Dec 26 16:27:37 mail amavis[1210]: Internal decoder for .tnef
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .zip at /usr/bin/7za
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .kmz at /usr/bin/7za
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .7z at /usr/bin/7za
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .xz at /usr/bin/7z
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .lzma at /usr/bin/7z
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .jar at /usr/bin/7z
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .swf at /usr/bin/7z
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .lha at /usr/bin/7z
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .iso at /usr/bin/7z
Dec 26 16:27:37 mail amavis[1210]: Found decoder for .exe at /usr/bin/unrar; /usr/bin/unarj
Dec 26 16:27:37 mail amavis[1210]: Using primary internal av scanner code for ClamAV-clamd
Dec 26 16:27:37 mail amavis[1210]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Dec 26 16:27:37 mail amavis[1210]: Deleting db files __db.004,snmp.db,nanny.db,__db.001,__db.003,__db.002 in /var/spool/amavisd/db
Dec 26 16:27:38 mail amavis[1210]: Creating db in /var/spool/amavisd/db/; BerkeleyDB 0.43, libdb 4.7
Dec 26 16:27:41 mail postfix/postfix-script[1293]: starting the Postfix mail system
Dec 26 16:27:41 mail postfix/master[1296]: daemon started -- version 2.6.6, configuration /etc/postfix
Dec 26 16:29:06 mail postfix/submission/smtpd[1471]: connect from mail.test.com[127.0.0.1]
Dec 26 16:29:06 mail postfix/submission/smtpd[1471]: setting up TLS connection from mail.test.com[127.0.0.1]
Dec 26 16:29:06 mail postfix/submission/smtpd[1471]: Anonymous TLS connection established from mail.test.com[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Dec 26 16:29:07 mail postfix/submission/smtpd[1471]: 3F4AE411E7: client=mail.test.com[127.0.0.1], sasl_method=LOGIN, sasl_username=mac@test.com
Dec 26 16:29:07 mail postfix/cleanup[1484]: 3F4AE411E7: message-id=<639f56dcb9001756ac0a021af6974fdb@test.com>
Dec 26 16:29:07 mail postfix/qmgr[1303]: 3F4AE411E7: from=<mac@test.com>, size=1611, nrcpt=1 (queue active)
Dec 26 16:29:07 mail roundcube: <rgmmslrh> User mac@test.com [192.168.1.199]; Message for mike@test.com; 250: 2.0.0 Ok: queued as 3F4AE411E7
Dec 26 16:29:07 mail postfix/submission/smtpd[1471]: disconnect from mail.test.com[127.0.0.1]
Dec 26 16:29:08 mail postfix/smtpd[1495]: connect from mail.test.com[127.0.0.1]
Dec 26 16:29:08 mail postfix/smtpd[1495]: 4D4C4411ED: client=mail.test.com[127.0.0.1]
Dec 26 16:29:08 mail postfix/cleanup[1484]: 4D4C4411ED: message-id=<639f56dcb9001756ac0a021af6974fdb@test.com>
Dec 26 16:29:08 mail postfix/qmgr[1303]: 4D4C4411ED: from=<mac@test.com>, size=2686, nrcpt=1 (queue active)
Dec 26 16:29:08 mail postfix/smtpd[1495]: disconnect from mail.test.com[127.0.0.1]
Dec 26 16:29:08 mail amavis[1294]: (01294-01) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:50776 -> , Message-ID: , mail_id: 0ouBsMZ_bZ50, Hits: -, size: 1611, queued_as: 4D4C4411ED, dkim_new=dkim:test.com, 663 ms
Dec 26 16:29:08 mail postfix/smtp[1490]: 3F4AE411E7: to=<mike@test.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.6, delays=0.68/0.15/0.01/0.75, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4D4C4411ED)
Dec 26 16:29:08 mail postfix/qmgr[1303]: 3F4AE411E7: removed
Dec 26 16:29:08 mail postfix/pipe[1496]: 4D4C4411ED: to=<mike@test.com>, relay=dovecot, delay=0.26, delays=0.01/0.07/0/0.19, dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 26 16:29:08 mail postfix/qmgr[1303]: 4D4C4411ED: removed

**blademike** · 2016-12-26 18:21:03

blademike
Member
Offline

Registered: 2016-12-25
Posts: 7

Re: Ransomware email not blocked/detected by Amavis

ZhangHuangbin wrote:

blademike wrote:
Dec 25 10:26:53 mail amavis[3013]: (03013-01) (!)Decoding of p002 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: do_7zip: can't get a list of archive members: exit 2; Errors: 1
It cannot unzip the file.

Do I need to upgrade 7zip?

**ZhangHuangbin** · 2016-12-27 13:54:21

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: Ransomware email not blocked/detected by Amavis

No debug log in your last post? Did you follow this tutorial to enable debug mode in Amavisd?
http://www.iredmail.org/docs/debug.amavisd.html

**blademike** · 2016-12-27 14:52:13

blademike
Member
Offline

Registered: 2016-12-25
Posts: 7

Re: Ransomware email not blocked/detected by Amavis

Hi Zhang,

For the debug log you requested, please see my reply (#6). #7 was a follow up to your earlier reply. Sorry, that might confused you.

Yes, I followed the tutorial in the link you provided. Anyway, this is the debug log (sending mail with .wsf ransomware script - So, that it's easier for you to check). Let me know if this is not the debug log that you require.

Thanks.

=======================================================================

Dec 27 14:18:15 mail amavis[1211]: starting. /usr/sbin/amavisd at mail.test.com amavisd-new-2.9.1 (20140627), Unicode aware, LANG="en_US.UTF-8"
Dec 27 14:18:17 mail amavis[1222]: Net::Server: Group Not Defined. Defaulting to EGID '496 496'
Dec 27 14:18:17 mail amavis[1222]: Net::Server: User Not Defined. Defaulting to EUID '496'
Dec 27 14:18:17 mail amavis[1222]: Module Amavis::Conf 2.321
Dec 27 14:18:17 mail amavis[1222]: Module Archive::Zip 1.30
Dec 27 14:18:17 mail amavis[1222]: Module BerkeleyDB 0.43
Dec 27 14:18:17 mail amavis[1222]: Module Compress::Raw::Zlib 2.021
Dec 27 14:18:17 mail amavis[1222]: Module Compress::Zlib 2.021
Dec 27 14:18:17 mail amavis[1222]: Module Crypt::OpenSSL::RSA 0.25
Dec 27 14:18:17 mail amavis[1222]: Module DBD::mysql 4.013
Dec 27 14:18:17 mail amavis[1222]: Module DBI 1.609
Dec 27 14:18:17 mail amavis[1222]: Module DB_File 1.82
Dec 27 14:18:17 mail amavis[1222]: Module Digest::MD5 2.39
Dec 27 14:18:17 mail amavis[1222]: Module Digest::SHA 5.47
Dec 27 14:18:17 mail amavis[1222]: Module Encode 2.35
Dec 27 14:18:17 mail amavis[1222]: Module File::Temp 0.22
Dec 27 14:18:17 mail amavis[1222]: Module IO::Socket::INET6 2.56
Dec 27 14:18:17 mail amavis[1222]: Module MIME::Entity 5.427
Dec 27 14:18:17 mail amavis[1222]: Module MIME::Parser 5.427
Dec 27 14:18:17 mail amavis[1222]: Module MIME::Tools 5.427
Dec 27 14:18:17 mail amavis[1222]: Module Mail::DKIM::Signer 0.37
Dec 27 14:18:17 mail amavis[1222]: Module Mail::DKIM::Verifier 0.37
Dec 27 14:18:17 mail amavis[1222]: Module Mail::Header 2.04
Dec 27 14:18:17 mail amavis[1222]: Module Mail::Internet 2.04
Dec 27 14:18:17 mail amavis[1222]: Module Mail::SPF v2.008
Dec 27 14:18:17 mail amavis[1222]: Module Mail::SpamAssassin 3.003001
Dec 27 14:18:17 mail amavis[1222]: Module Net::DNS 0.65
Dec 27 14:18:17 mail amavis[1222]: Module Net::Server 2.007
Dec 27 14:18:17 mail amavis[1222]: Module NetAddr::IP 4.027
Dec 27 14:18:17 mail amavis[1222]: Module Razor2::Client::Version 2.84
Dec 27 14:18:17 mail amavis[1222]: Module Scalar::Util 1.21
Dec 27 14:18:17 mail amavis[1222]: Module Socket 1.82
Dec 27 14:18:17 mail amavis[1222]: Module Socket6 0.23
Dec 27 14:18:17 mail amavis[1222]: Module Time::HiRes 1.9721
Dec 27 14:18:17 mail amavis[1222]: Module URI 1.40
Dec 27 14:18:17 mail amavis[1222]: Module Unix::Syslog 1.1
Dec 27 14:18:17 mail amavis[1222]: Amavis::ZMQ code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: Amavis::DB code loaded
Dec 27 14:18:17 mail amavis[1222]: SQL base code loaded
Dec 27 14:18:17 mail amavis[1222]: SQL::Log code loaded
Dec 27 14:18:17 mail amavis[1222]: SQL::Quarantine loaded
Dec 27 14:18:17 mail amavis[1222]: Lookup::SQL code loaded
Dec 27 14:18:17 mail amavis[1222]: Lookup::LDAP code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: AM.PDP-in proto code loaded
Dec 27 14:18:17 mail amavis[1222]: SMTP-in proto code loaded
Dec 27 14:18:17 mail amavis[1222]: Courier proto code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: SMTP-out proto code loaded
Dec 27 14:18:17 mail amavis[1222]: Pipe-out proto code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: BSMTP-out proto code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: Local-out proto code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: OS_Fingerprint code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: ANTI-VIRUS code loaded
Dec 27 14:18:17 mail amavis[1222]: ANTI-SPAM code loaded
Dec 27 14:18:17 mail amavis[1222]: ANTI-SPAM-EXT code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: ANTI-SPAM-C code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: ANTI-SPAM-SA code loaded
Dec 27 14:18:17 mail amavis[1222]: Unpackers code loaded
Dec 27 14:18:17 mail amavis[1222]: DKIM code loaded
Dec 27 14:18:17 mail amavis[1222]: Tools code NOT loaded
Dec 27 14:18:17 mail amavis[1222]: Found $file at /usr/bin/file
Dec 27 14:18:17 mail amavis[1222]: Found $altermime at /usr/bin/altermime
Dec 27 14:18:17 mail amavis[1222]: Internal decoder for .mail
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .F at /usr/bin/unfreeze
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .Z at /usr/bin/gzip -d
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .gz at /usr/bin/gzip -d
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .bz2 at /usr/bin/bzip2 -d
Dec 27 14:18:17 mail amavis[1222]: No ext program for .xz, tried: xzdec, xz -dc, unxz -c, xzcat
Dec 27 14:18:17 mail amavis[1222]: No ext program for .lzma, tried: lzmadec, xz -dc --format=lzma, lzma -dc, unlzma -c, lzcat, lzmadec
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .lrz at /usr/bin/lrzip -q -k -d -o -
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .lzo at /usr/bin/lzop -d
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .rpm at /usr/bin/rpm2cpio
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .cpio at /usr/bin/pax
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .tar at /usr/bin/pax
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .deb at /usr/bin/ar
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .rar at /usr/bin/unrar
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .arj at /usr/bin/unarj
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .arc at /usr/bin/nomarch
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .zoo at /usr/bin/unzoo
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .cab at /usr/bin/cabextract
Dec 27 14:18:17 mail amavis[1222]: Internal decoder for .tnef
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .zip at /usr/bin/7za
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .kmz at /usr/bin/7za
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .7z at /usr/bin/7za
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .xz at /usr/bin/7z
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .lzma at /usr/bin/7z
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .jar at /usr/bin/7z
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .swf at /usr/bin/7z
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .lha at /usr/bin/7z
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .iso at /usr/bin/7z
Dec 27 14:18:17 mail amavis[1222]: Found decoder for .exe at /usr/bin/unrar; /usr/bin/unarj
Dec 27 14:18:17 mail amavis[1222]: Using primary internal av scanner code for ClamAV-clamd
Dec 27 14:18:17 mail amavis[1222]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Dec 27 14:18:17 mail amavis[1222]: Deleting db files __db.004,snmp.db,nanny.db,__db.001,__db.003,__db.002 in /var/spool/amavisd/db
Dec 27 14:18:17 mail amavis[1222]: Creating db in /var/spool/amavisd/db/; BerkeleyDB 0.43, libdb 4.7
Dec 27 14:18:20 mail postfix/postfix-script[1305]: starting the Postfix mail system
Dec 27 14:18:21 mail postfix/master[1306]: daemon started -- version 2.6.6, configuration /etc/postfix
Dec 27 14:20:17 mail amavis[1480]: starting. /usr/sbin/amavisd at mail.test.com amavisd-new-2.9.1 (20140627), Unicode aware, LANG="en_US.UTF-8"
Dec 27 14:20:17 mail amavis[1481]: Net::Server: Group Not Defined. Defaulting to EGID '496 496'
Dec 27 14:20:17 mail amavis[1481]: Net::Server: User Not Defined. Defaulting to EUID '496'
Dec 27 14:20:17 mail amavis[1481]: Module Amavis::Conf 2.321
Dec 27 14:20:17 mail amavis[1481]: Module Archive::Zip 1.30
Dec 27 14:20:17 mail amavis[1481]: Module BerkeleyDB 0.43
Dec 27 14:20:17 mail amavis[1481]: Module Compress::Raw::Zlib 2.021
Dec 27 14:20:17 mail amavis[1481]: Module Compress::Zlib 2.021
Dec 27 14:20:17 mail amavis[1481]: Module Crypt::OpenSSL::RSA 0.25
Dec 27 14:20:17 mail amavis[1481]: Module DBD::mysql 4.013
Dec 27 14:20:17 mail amavis[1481]: Module DBI 1.609
Dec 27 14:20:17 mail amavis[1481]: Module DB_File 1.82
Dec 27 14:20:17 mail amavis[1481]: Module Digest::MD5 2.39
Dec 27 14:20:17 mail amavis[1481]: Module Digest::SHA 5.47
Dec 27 14:20:17 mail amavis[1481]: Module Encode 2.35
Dec 27 14:20:17 mail amavis[1481]: Module File::Temp 0.22
Dec 27 14:20:17 mail amavis[1481]: Module IO::Socket::INET6 2.56
Dec 27 14:20:17 mail amavis[1481]: Module MIME::Entity 5.427
Dec 27 14:20:17 mail amavis[1481]: Module MIME::Parser 5.427
Dec 27 14:20:17 mail amavis[1481]: Module MIME::Tools 5.427
Dec 27 14:20:17 mail amavis[1481]: Module Mail::DKIM::Signer 0.37
Dec 27 14:20:17 mail amavis[1481]: Module Mail::DKIM::Verifier 0.37
Dec 27 14:20:17 mail amavis[1481]: Module Mail::Header 2.04
Dec 27 14:20:17 mail amavis[1481]: Module Mail::Internet 2.04
Dec 27 14:20:17 mail amavis[1481]: Module Mail::SPF v2.008
Dec 27 14:20:17 mail amavis[1481]: Module Mail::SpamAssassin 3.003001
Dec 27 14:20:17 mail amavis[1481]: Module Net::DNS 0.65
Dec 27 14:20:17 mail amavis[1481]: Module Net::Server 2.007
Dec 27 14:20:17 mail amavis[1481]: Module NetAddr::IP 4.027
Dec 27 14:20:17 mail amavis[1481]: Module Razor2::Client::Version 2.84
Dec 27 14:20:17 mail amavis[1481]: Module Scalar::Util 1.21
Dec 27 14:20:17 mail amavis[1481]: Module Socket 1.82
Dec 27 14:20:17 mail amavis[1481]: Module Socket6 0.23
Dec 27 14:20:17 mail amavis[1481]: Module Time::HiRes 1.9721
Dec 27 14:20:17 mail amavis[1481]: Module URI 1.40
Dec 27 14:20:17 mail amavis[1481]: Module Unix::Syslog 1.1
Dec 27 14:20:17 mail amavis[1481]: Amavis::ZMQ code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: Amavis::DB code loaded
Dec 27 14:20:17 mail amavis[1481]: SQL base code loaded
Dec 27 14:20:17 mail amavis[1481]: SQL::Log code loaded
Dec 27 14:20:17 mail amavis[1481]: SQL::Quarantine loaded
Dec 27 14:20:17 mail amavis[1481]: Lookup::SQL code loaded
Dec 27 14:20:17 mail amavis[1481]: Lookup::LDAP code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: AM.PDP-in proto code loaded
Dec 27 14:20:17 mail amavis[1481]: SMTP-in proto code loaded
Dec 27 14:20:17 mail amavis[1481]: Courier proto code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: SMTP-out proto code loaded
Dec 27 14:20:17 mail amavis[1481]: Pipe-out proto code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: BSMTP-out proto code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: Local-out proto code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: OS_Fingerprint code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: ANTI-VIRUS code loaded
Dec 27 14:20:17 mail amavis[1481]: ANTI-SPAM code loaded
Dec 27 14:20:17 mail amavis[1481]: ANTI-SPAM-EXT code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: ANTI-SPAM-C code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: ANTI-SPAM-SA code loaded
Dec 27 14:20:17 mail amavis[1481]: Unpackers code loaded
Dec 27 14:20:17 mail amavis[1481]: DKIM code loaded
Dec 27 14:20:17 mail amavis[1481]: Tools code NOT loaded
Dec 27 14:20:17 mail amavis[1481]: Found $file at /usr/bin/file
Dec 27 14:20:17 mail amavis[1481]: Found $altermime at /usr/bin/altermime
Dec 27 14:20:17 mail amavis[1481]: Internal decoder for .mail
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .F at /usr/bin/unfreeze
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .Z at /usr/bin/gzip -d
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .gz at /usr/bin/gzip -d
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .bz2 at /usr/bin/bzip2 -d
Dec 27 14:20:17 mail amavis[1481]: No ext program for .xz, tried: xzdec, xz -dc, unxz -c, xzcat
Dec 27 14:20:17 mail amavis[1481]: No ext program for .lzma, tried: lzmadec, xz -dc --format=lzma, lzma -dc, unlzma -c, lzcat, lzmadec
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .lrz at /usr/bin/lrzip -q -k -d -o -
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .lzo at /usr/bin/lzop -d
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .rpm at /usr/bin/rpm2cpio
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .cpio at /usr/bin/pax
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .tar at /usr/bin/pax
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .deb at /usr/bin/ar
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .rar at /usr/bin/unrar
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .arj at /usr/bin/unarj
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .arc at /usr/bin/nomarch
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .zoo at /usr/bin/unzoo
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .cab at /usr/bin/cabextract
Dec 27 14:20:17 mail amavis[1481]: Internal decoder for .tnef
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .zip at /usr/bin/7za
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .kmz at /usr/bin/7za
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .7z at /usr/bin/7za
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .xz at /usr/bin/7z
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .lzma at /usr/bin/7z
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .jar at /usr/bin/7z
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .swf at /usr/bin/7z
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .lha at /usr/bin/7z
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .iso at /usr/bin/7z
Dec 27 14:20:17 mail amavis[1481]: Found decoder for .exe at /usr/bin/unrar; /usr/bin/unarj
Dec 27 14:20:17 mail amavis[1481]: Using primary internal av scanner code for ClamAV-clamd
Dec 27 14:20:17 mail amavis[1481]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Dec 27 14:20:17 mail amavis[1481]: Deleting db files __db.004,snmp.db,nanny.db,__db.001,__db.003,__db.002 in /var/spool/amavisd/db
Dec 27 14:20:17 mail amavis[1481]: Creating db in /var/spool/amavisd/db/; BerkeleyDB 0.43, libdb 4.7
Dec 27 14:33:33 mail postfix/submission/smtpd[1513]: connect from mail.test.com[127.0.0.1]
Dec 27 14:33:33 mail postfix/submission/smtpd[1513]: setting up TLS connection from mail.test.com[127.0.0.1]
Dec 27 14:33:33 mail postfix/submission/smtpd[1513]: Anonymous TLS connection established from mail.test.com[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Dec 27 14:33:34 mail postfix/submission/smtpd[1513]: BE26F40B5D: client=mail.test.com[127.0.0.1], sasl_method=LOGIN, sasl_username=mac@test.com
Dec 27 14:33:37 mail postfix/cleanup[1522]: BE26F40B5D: message-id=<264ef0034f22bcafb2092d03c0673ccb@test.com>
Dec 27 14:33:38 mail postfix/qmgr[1313]: BE26F40B5D: from=<mac@test.com>, size=1471, nrcpt=1 (queue active)
Dec 27 14:33:38 mail roundcube: <0huoj4rd> User mac@test.com [192.168.1.199]; Message for mike@test.com; 250: 2.0.0 Ok: queued as BE26F40B5D
Dec 27 14:33:41 mail postfix/submission/smtpd[1513]: disconnect from mail.test.com[127.0.0.1]
Dec 27 14:33:43 mail postfix/smtpd[1542]: connect from mail.test.com[127.0.0.1]
Dec 27 14:33:43 mail postfix/smtpd[1542]: EABE8411F0: client=mail.test.com[127.0.0.1]
Dec 27 14:33:43 mail postfix/cleanup[1522]: EABE8411F0: message-id=<264ef0034f22bcafb2092d03c0673ccb@test.com>
Dec 27 14:33:44 mail postfix/qmgr[1313]: EABE8411F0: from=<mac@test.com>, size=2546, nrcpt=1 (queue active)
Dec 27 14:33:44 mail postfix/smtpd[1542]: disconnect from mail.test.com[127.0.0.1]
Dec 27 14:33:44 mail amavis[1484]: (01484-01) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:33826 -> , Message-ID: , mail_id: Cspo5BgsY12G, Hits: -, size: 1471, queued_as: EABE8411F0, dkim_new=dkim:test.com, 5961 ms
Dec 27 14:33:44 mail postfix/smtp[1528]: BE26F40B5D: to=<mike@test.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=11, delays=4/0.21/0.01/6.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as EABE8411F0)
Dec 27 14:33:44 mail postfix/qmgr[1313]: BE26F40B5D: removed
Dec 27 14:33:45 mail postfix/pipe[1545]: EABE8411F0: to=<mike@test.com>, relay=dovecot, delay=1.8, delays=0.24/0.55/0/1, dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 27 14:33:45 mail postfix/qmgr[1313]: EABE8411F0: removed

**ZhangHuangbin** · 2016-12-27 18:22:57

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: Ransomware email not blocked/detected by Amavis

Try this: add below lines in /etc/amavisd/amavisd.conf (before the last line "1;"):

# Amavisd on some Linux/BSD distribution use $banned_namepath_re instead of
# $banned_filename_re, so we define some blocked file types here.
#
# Sample input for $banned_namepath_re:
#
#   P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=my_docum.zip
#
# What it means:
#   - T: type. e.g. zip archive.
#   - M: MIME type. e.g. application/octet-stream.
#   - N: suggested (MIME) name. e.g. my_docum.zip.

$banned_namepath_re = new_RE(
    # Compressed files.
    [qr'M=application/(zip|rar|arc|arj|zoo|gz|bz2)(,|\t).*T=dat(,|\t)'xmi => 'DISCARD'],

    # Dangerous file types on Windows.
    [qr'M=(9|386|LeChiffre|aaa|abc|aepl|aru|atm|aut|bat|bhx|bin|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|wmf|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxx|xyz|zix|zvz|zzz)(,|\t)'xmi => 'DISCARD'],
    [qr'N=.*(9|386|LeChiffre|aaa|abc|aepl|aru|atm|aut|bat|bhx|bin|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|wmf|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxx|xyz|zix|zvz|zzz)$'xmi => 'DISCARD'],

    [qr'T=(pif|scr)(,|\t)'xmi => 'DISCARD'],                      # banned extensions - rudimentary
    [qr'T=ani(,|\t)'xmi => 'DISCARD'],                            # banned animated cursor file(1) type
    [qr'T=(mim|b64|bhx|hqx|xxe|uu|uue)(,|\t)'xmi => 'DISCARD'],   # banned extension - WinZip vulnerab.
    [qr'M=application/x-msdownload(,|\t)'xmi => 'DISCARD'],       # block these MIME types
    [qr'M=application/x-msdos-program(,|\t)'xmi => 'DISCARD'],
    [qr'M=application/hta(,|\t)'xmi => 'DISCARD'],
    [qr'M=(application/x-msmetafile|image/x-wmf)(,|\t)'xmi => 'DISCARD'],  # Windows Metafile MIME type
);

If your amavisd.conf already has "$banned_namepath_re", then just add below line INSIDE "$banned_namepath_re = ();" block:

    [qr'N=.*(9|386|LeChiffre|aaa|abc|aepl|aru|atm|aut|bat|bhx|bin|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|wmf|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxx|xyz|zix|zvz|zzz)$'xmi => 'DISCARD'],

**blademike** · 2016-12-27 23:33:58

blademike
Member
Offline

Registered: 2016-12-25
Posts: 7

Re: Ransomware email not blocked/detected by Amavis

Hi Zhang,

I confirmed that this is now working as expected. I wonder why my Amavis config only has the qr'M= but not the qr'N=.* entry. Anyway, thanks alot.

Aug 5, 2024: iRedMail-1.7.1 has been released.

[ Closed ] Ransomware email not blocked/detected by Amavis

Posts: 11

1 Topic by blademike 2016-12-25 22:22:49

Topic: Ransomware email not blocked/detected by Amavis

2 Reply by ZhangHuangbin 2016-12-25 22:27:30

Re: Ransomware email not blocked/detected by Amavis

3 Reply by blademike 2016-12-25 22:33:26

Re: Ransomware email not blocked/detected by Amavis

4 Reply by blademike 2016-12-25 23:57:11

Re: Ransomware email not blocked/detected by Amavis

5 Reply by ZhangHuangbin 2016-12-26 10:12:30

Re: Ransomware email not blocked/detected by Amavis

6 Reply by blademike 2016-12-26 18:02:18

Re: Ransomware email not blocked/detected by Amavis

7 Reply by blademike 2016-12-26 18:21:03

Re: Ransomware email not blocked/detected by Amavis

8 Reply by ZhangHuangbin 2016-12-27 13:54:21

Re: Ransomware email not blocked/detected by Amavis

9 Reply by blademike 2016-12-27 14:52:13

Re: Ransomware email not blocked/detected by Amavis

10 Reply by ZhangHuangbin 2016-12-27 18:22:57

Re: Ransomware email not blocked/detected by Amavis

11 Reply by blademike 2016-12-27 23:33:58

Re: Ransomware email not blocked/detected by Amavis

Posts: 11