Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 1 subscriber
  • Views 10455 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

To less malware detected during SMTP-Scan

Chris69
Hi there,
since I enabled the Software UTM (right now 9.310-11) as a SMTP-Proxy it is filtering SPAM very well - but malware not as well as expected.

During the last 30 days it blocked 11 inbound mails for malware reasons - so far, so good - but in the same time the internal Exchange with "forefront security" reported a dozen times malware detection - and was right!
But Forefront is EOL and our license period will end up next week so it will stop the protection during the next days.

Yes, of course I did set the E-Mailprotection / Antivirus to "Dual Scan (Maximum Security)".

The patterns are downloaded and installed in the background and seem to be fine.


Any ideas for a better protection out there?


This thread was automatically locked due to age.
Parents
  • 0
    So I looked into the old logs for one of the Subject-lines ("MT103") of the bad mails being passed thru the UTM.
    Here you are: 

     berlin:/root # gunzip -fc /var/log/smtp/2015/04/smtp-2015-04-30.log.gz | grep -B 18 -A 18 MT103

    

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [1\24] 2015-04-30 21:03:25 1Yntk5-0002xM-0J H=mailout07.t-online.de [194.25.134.83]:49017 F= temporarily rejected after DATA: Temporary local problem, please try again!

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [2\24] Envelope-from: 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [3\24] Envelope-to: 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [4\24]     

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [5\24] P Received: from mailout07.t-online.de ([194.25.134.83]:49017)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [6\24] 	by berlin.gate.XYZ.com with esmtps (TLSv1.2[[:D]]HE-RSA-AES256-GCM-SHA384:256)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [7\24] 	(Exim 4.82_1-5b7a7c0-XX)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [8\24] 	(envelope-from )

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [9\24] 	id 1Yntk5-0002xM-0J; Thu, 30 Apr 2015 21:03:25 +0200

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [10\24] P Received: from fwd26.aul.t-online.de (fwd26.aul.t-online.de [172.20.26.131])

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [11\24] 	by mailout07.t-online.de (Postfix) with SMTP id DE8D419306B;

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [12\24] 	Thu, 30 Apr 2015 21:03:23 +0200 (CEST)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [13\24] P Received: from winsvr.compasshealth.local (ZwjebyZQohXuD0iDKRCR88iDzlNbBPNtMgBJFTPu12EZMjn2vQVH-2Kt9WA6j74gY4@[72.215.248.252]) by fwd26.t-online.de

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [14\24] 	with (TLSv1[[:D]]HE-RSA-AES256-SHA encrypted)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [15\24] 	esmtp id 1Yntjy-1TH8W00; Thu, 30 Apr 2015 21:03:18 +0200

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [16\24]   Content-Type: multipart/mixed; boundary="===============1089096451=="

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [17\24]   MIME-Version: 1.0

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [18\24]   Subject: Re: SWIFT MT103

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [19\24] T To: Recipients 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [20\24] F From: "Account" 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [21\24]   Date: Thu, 30 Apr 2015 13:56:50 -0500

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [22\24] I Message-ID: 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [23\24]   X-ID: ZwjebyZQohXuD0iDKRCR88iDzlNbBPNtMgBJFTPu12EZMjn2vQVH-2Kt9WA6j74gY4

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [24/24]   X-TOI-MSGID: d0e9e71e-7e8a-4834-833d-d540534c5780

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: 2015-04-30 21:03:25 SMTP connection from mailout07.t-online.de [194.25.134.83]:49017 closed by QUIT

    2015:04:30-21:03:32 berlin-1 exim-in[25747]: 2015-04-30 21:03:32 SMTP connection from [A.B.C.D]:43211 (TCP/IP connection count = 1)

    2015:04:30-21:03:32 berlin-1 exim-in[11374]: 2015-04-30 21:03:32 [A.B.C.D] F= R= Accepted: from relay

    2015:04:30-21:03:32 berlin-1 exim-in[11374]: 2015-04-30 21:03:32 [A.B.C.D] F= R= Accepted: from relay

    2015:04:30-21:03:32 berlin-1 exim-in[11374]: 2015-04-30 21:03:32 1YntkC-0002xS-0l ctasd reports 'Unknown' RefID:str=0001.0A0B0204.55427C84.016F,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0

    2015:04:30-21:03:32 berlin-1 exim-in[11374]: 2015-04-30 21:03:32 1YntkC-0002xS-0l  work R=SCANNER T=SCANNER

    2015:04:30-21:03:41 berlin-1 smtpd[11377]: SCANNER[11377]: 1YntkC-0002xS-0l Completed

    2015:04:30-21:03:41 berlin-1 exim-out[11381]: 2015-04-30 21:03:41 1YntkK-0002xV-9O => "MisterX"@XYZ.com P= R=static_route_hostlist T=static_smtp H=192.168.0.174 [192.168.0.174]:25 X=TLSv1:RC4-SHA:128 C="250 2.6.0  Queued mail for delivery"

    2015:04:30-21:03:41 berlin-1 exim-out[11381]: 2015-04-30 21:03:41 1YntkK-0002xV-9O Completed

    2015:04:30-21:03:41 berlin-1 exim-out[11382]: 2015-04-30 21:03:41 1YntkK-0002xV-9L => info@XYZ.com P= R=static_route_hostlist T=static_smtp H=192.168.0.173 [192.168.0.173]:25 X=TLSv1:RC4-SHA:128 C="250 2.6.0  Queued mail for delivery"

    2015:04:30-21:03:41 berlin-1 exim-out[11382]: 2015-04-30 21:03:41 1YntkK-0002xV-9L Completed
Reply
  • 0
    So I looked into the old logs for one of the Subject-lines ("MT103") of the bad mails being passed thru the UTM.
    Here you are: 

     berlin:/root # gunzip -fc /var/log/smtp/2015/04/smtp-2015-04-30.log.gz | grep -B 18 -A 18 MT103

    

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [1\24] 2015-04-30 21:03:25 1Yntk5-0002xM-0J H=mailout07.t-online.de [194.25.134.83]:49017 F= temporarily rejected after DATA: Temporary local problem, please try again!

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [2\24] Envelope-from: 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [3\24] Envelope-to: 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [4\24]     

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [5\24] P Received: from mailout07.t-online.de ([194.25.134.83]:49017)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [6\24] 	by berlin.gate.XYZ.com with esmtps (TLSv1.2[[:D]]HE-RSA-AES256-GCM-SHA384:256)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [7\24] 	(Exim 4.82_1-5b7a7c0-XX)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [8\24] 	(envelope-from )

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [9\24] 	id 1Yntk5-0002xM-0J; Thu, 30 Apr 2015 21:03:25 +0200

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [10\24] P Received: from fwd26.aul.t-online.de (fwd26.aul.t-online.de [172.20.26.131])

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [11\24] 	by mailout07.t-online.de (Postfix) with SMTP id DE8D419306B;

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [12\24] 	Thu, 30 Apr 2015 21:03:23 +0200 (CEST)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [13\24] P Received: from winsvr.compasshealth.local (ZwjebyZQohXuD0iDKRCR88iDzlNbBPNtMgBJFTPu12EZMjn2vQVH-2Kt9WA6j74gY4@[72.215.248.252]) by fwd26.t-online.de

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [14\24] 	with (TLSv1[[:D]]HE-RSA-AES256-SHA encrypted)

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [15\24] 	esmtp id 1Yntjy-1TH8W00; Thu, 30 Apr 2015 21:03:18 +0200

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [16\24]   Content-Type: multipart/mixed; boundary="===============1089096451=="

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [17\24]   MIME-Version: 1.0

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [18\24]   Subject: Re: SWIFT MT103

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [19\24] T To: Recipients 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [20\24] F From: "Account" 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [21\24]   Date: Thu, 30 Apr 2015 13:56:50 -0500

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [22\24] I Message-ID: 

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [23\24]   X-ID: ZwjebyZQohXuD0iDKRCR88iDzlNbBPNtMgBJFTPu12EZMjn2vQVH-2Kt9WA6j74gY4

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: [24/24]   X-TOI-MSGID: d0e9e71e-7e8a-4834-833d-d540534c5780

    2015:04:30-21:03:25 berlin-1 exim-in[11368]: 2015-04-30 21:03:25 SMTP connection from mailout07.t-online.de [194.25.134.83]:49017 closed by QUIT

    2015:04:30-21:03:32 berlin-1 exim-in[25747]: 2015-04-30 21:03:32 SMTP connection from [A.B.C.D]:43211 (TCP/IP connection count = 1)

    2015:04:30-21:03:32 berlin-1 exim-in[11374]: 2015-04-30 21:03:32 [A.B.C.D] F= R= Accepted: from relay

    2015:04:30-21:03:32 berlin-1 exim-in[11374]: 2015-04-30 21:03:32 [A.B.C.D] F= R= Accepted: from relay

    2015:04:30-21:03:32 berlin-1 exim-in[11374]: 2015-04-30 21:03:32 1YntkC-0002xS-0l ctasd reports 'Unknown' RefID:str=0001.0A0B0204.55427C84.016F,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0

    2015:04:30-21:03:32 berlin-1 exim-in[11374]: 2015-04-30 21:03:32 1YntkC-0002xS-0l  work R=SCANNER T=SCANNER

    2015:04:30-21:03:41 berlin-1 smtpd[11377]: SCANNER[11377]: 1YntkC-0002xS-0l Completed

    2015:04:30-21:03:41 berlin-1 exim-out[11381]: 2015-04-30 21:03:41 1YntkK-0002xV-9O => "MisterX"@XYZ.com P= R=static_route_hostlist T=static_smtp H=192.168.0.174 [192.168.0.174]:25 X=TLSv1:RC4-SHA:128 C="250 2.6.0  Queued mail for delivery"

    2015:04:30-21:03:41 berlin-1 exim-out[11381]: 2015-04-30 21:03:41 1YntkK-0002xV-9O Completed

    2015:04:30-21:03:41 berlin-1 exim-out[11382]: 2015-04-30 21:03:41 1YntkK-0002xV-9L => info@XYZ.com P= R=static_route_hostlist T=static_smtp H=192.168.0.173 [192.168.0.173]:25 X=TLSv1:RC4-SHA:128 C="250 2.6.0  Queued mail for delivery"

    2015:04:30-21:03:41 berlin-1 exim-out[11382]: 2015-04-30 21:03:41 1YntkK-0002xV-9L Completed
Children
No Data
Unfiltered HTML