On 03/09/2020 12.52, Syafril Hermansyah via mdaemon-l wrote:
Kelihatannya lognya tidak cocok dengan mail yang ada di quarantine queue, tidak
ada informasi masuk ke quarantine queue
Periksa dulu message header yang ada quarantine queue, lihat message-ID nya
berapa dan gunakan sebagai kata kunci pencarian di antivirus log.
Berikut saya sampaikan yang terakhir muncul di quarantine queue ya pak
email ini muncul di quarantine queue setelah saya aktifkan antivirus
menggunakan cyren, ini berarti email dihari sebelumnya ya pak ?
Thu 2020-09-03 06:30:47.528: ----------
Thu 2020-09-03 06:30:53.497: MDaemon AntiVirus processing
c:\mdaemon\queues\local\md5001000319580.msg...
Thu 2020-09-03 06:30:53.497: * Message return-path:
[email protected]
Thu 2020-09-03 06:30:53.497: * Message from: [email protected]
Thu 2020-09-03 06:30:53.497: * Message to: [email protected]
Thu 2020-09-03 06:30:53.497: * Message subject: Fwd:RE: Daily Recon SPMS
Ericsson Aug-2020
Thu 2020-09-03 06:30:53.497: * Message ID:
<[email protected]>
Thu 2020-09-03 06:30:53.497: Start MDaemon AntiVirus results (ClamAV)
Thu 2020-09-03 06:30:53.509: * Total attachments scanned?????? : 3
(including multipart/alternatives and message body)
Thu 2020-09-03 06:30:53.509: * Total attachments infected???? : 0
Thu 2020-09-03 06:30:53.509: * Total attachments disinfected: 0
Thu 2020-09-03 06:30:53.509: * Total errors while scanning?? : 0
Thu 2020-09-03 06:30:53.509: * Total attachments removed?????? : 0
Thu 2020-09-03 06:30:53.520: End of MDaemon AntiVirus results
Thu 2020-09-03 06:30:53.520: ----------
Message headernya sbb :
X-SPScan-Result: infected
X-SPScan-VirusName: W97M/Downldr.IE.gen!Eldorado
X-MDBadQueue-Reason: WARNING! infected with virus
(W97M/Downldr.IE.gen!Eldorado)
X-MDAV-Processed: mail.persada.id, Thu, 03 Sep 2020 06:30:53 +0700
Return-path: <[email protected]>
Authentication-Results: mail.persada.id;
?????? spf=pass [email protected];
?????? dkim=fail (DKIM_BAD_SYNTAX) header.d=berryapparel.com
header.b=EcTupVRfcf;
?????? iprev=pass policy.iprev=202.53.147.151 (PTR mail.violetapparel.com);
?????? iprev=fail policy.iprev=202.53.147.151 reason="does not match"
(HELO berryapparel.com);
?????? iprev=pass policy.iprev=202.53.147.151 (MAIL [email protected])
Received-SPF: pass (mail.persada.id: domain berryapparel.com
?????? designates 202.53.147.151 as permitted sender)
?????? receiver=mail.persada.id; client-ip=202.53.147.151;
?????? mechanism=mx; envelope-from="[email protected]";
?????? helo=berryapparel.com;
Received: from berryapparel.com (mail.violetapparel.com
[202.53.147.151]) by mail.persada.id (124.81.84.135) (MDaemon PRO v20.0.1)
?????? with ESMTP id md5001000188866.msg; Thu, 03 Sep 2020 06:30:52 +0700
X-Spam-Level:
X-Spam-Status: No, score=0.80 required=5.0
X-Spam-Report:
?????? *?? 0.3 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
?????? *?? 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
?????? *?? 0.0 HTML_MESSAGE BODY: HTML included in message
?????? *?? 0.4 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
X-Spam-Processed: mail.persada.id, Thu, 03 Sep 2020 06:30:52 +0700
?????? (processed during SMTP session)
X-MDSPF-Result: unapproved (mail.persada.id)
X-MDRemoteIP: 202.53.147.151
X-MDHelo: berryapparel.com
X-MDArrival-Date: Thu, 03 Sep 2020 06:30:52 +0700
X-MDOrigin-Country: Cambodia, Asia
X-Rcpt-To: [email protected]
X-MDRcpt-To: [email protected]
X-Return-Path: [email protected]
X-Envelope-From: [email protected]
X-MDaemon-Deliver-To: [email protected]
DKIM-Signature: a=rsa-sha256; t=1599089446; x=1599694246; s=;
d=berryapparel.com; c=relaxed/relaxed; v=1;
bh=tTrbDVtq7WuF8KAyKrphEekxg1iSuyQNVF04exBkYLg=;
h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
b=EcTupVRfcflo9jz3DNP1DovJXFFZp+mjvjZEIG+jqeYGKZARCFd9NOFhkoV84XBDf+yFwGrS2oxSNjlXOvPE6NDpttac28gODsWRF4jOu4Q5NICFhuPQ09jOjkWNoYbSlBzBCPWheLLUduNDco9JfJCry986WVfsvCrNtdO4jQc=
Received: from [86.98.9.19] ([86.98.9.19])
?????????????? by berryapparel.com (12.1.1 build 4 x64) with ASMTP (SSL) id
202009030630441375
?????????????? for <[email protected]>; Thu, 03 Sep 2020 06:30:44 +0700
Date: Thu, 03 Sep 2020 03:30:41 +0400
From: "Wiwin Tri Akhdiana" <[email protected]>
To: "Agus Triyono" <[email protected]>
Subject: Fwd:RE: Daily Recon SPMS Ericsson Aug-2020
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--4556116609063506179342483804808427"
Message-ID: <[email protected]>
Akan tetapi dari gambar quarantine message, kelihatannya semua itu memang mail
bervirus dan mestinya ditolak di level SMTP.
Gambarnya tidak lengkap, tidak terlihat time stamp (date time) dari masing-2x
mail tersebut.
Terlampir SC untuk quarantine queue jam 13.30 pak
Berapa kapasitas RAM yang terpasang di hardware?
Kapasitas RAM kami 32 Gb
Processor Intel Xeon E5620 2.4 GHz
Carikan log transaksinya di antivirus log.
Maaf ini untuk log apanya ya pak ?
Dari mana tahunya?
Maaf ini prediksi saya pak, kalo normalnya email dari luar itu kan
dengan subject
macam-macam, nggak ada yang sama persis dengan email yang legitimate,
tapi email yang dianggap virus ini ternyata punya subject yang sama persis
Ada contohnya (message source)?
Kalo dari queue ambil message sorce-nya gimana ya pak ?
--
--[mdaemon-l]----------------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia
Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Berlangganan: Kirim mail ke [email protected]
Henti Langgan: Kirim mail ke [email protected]
Versi terakhir: MDaemon 20.0.1, SecurityGateway 7.0
