Hello, has anyone creative ideas on how to evaluate those hash values?
Kindly regards, Ralf Kirmis -----Ursprüngliche Nachricht----- Von: amavis-users [mailto:[email protected]] Im Auftrag von Andreas Schulze via amavis-users Gesendet: Dienstag, 5. November 2013 13:44 An: [email protected] Betreff: logging attachement hashes Hello, I wrote a patch to enable amavisd logging a hash of each mimepart of a message. As a result we have a nice logging about attachment with randomized names: Nov 5 13:24:34 amavis amavis[63605]: (63605) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_915348761926.zip Nov 5 13:24:47 amavis amavis[64401]: (64401) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_246684491810.zip Nov 5 13:24:49 amavis amavis[37512]: (37512) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_385492343722.zip Nov 5 13:25:11 amavis amavis[23929]: (23929) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_410730648345.zip Nov 5 13:25:28 amavis amavis[23927]: (23927) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_067966022207.zip Nov 5 13:25:35 amavis amavis[23931]: (23931) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_886327295193.zip Nov 5 13:25:49 amavis amavis[23923]: (23923) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_079214708084.zip Nov 5 13:25:58 amavis amavis[23936]: (23936) p003 1/2 Content-Type: application/zip, size: 175613 B, md5: e687fa20dbe2f62418da7dee62f5ef74, name: VodafoneWillkommen_381806514856.zip Looking at these logs it's very easy to identify malicius content still not detected by virusscanners. Maybe somone has an idea to extend that feature. Andreas -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Dipl.-Kfm. Dr. Robert Mayr Jörg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen
