On 11/4/2013 3:27 PM, Nicholas Chua wrote:
> Hi,
>
> I am receiving an average of 13 new virus each day. Due to these
> virus, email accounts passwords are stolen and caused massive spams
> from the server. Valuable time is wasted to delist our IP and to
> maintain a private list of a virus database which till date 100+ virus
> are still not detected by clamav.
>
> This server is housing about 600 users. We were not experience this
> issue since 4 months ago. Anyone out there would like to share your
> experience fighting virus?
>
> Thanks
> nic

Nic:

You'll need to look to your qmail-send logs to see the users who are
sending messages that are failing. For virus infected systems, you'll
see the messages going out to 20 or so addresses at a time, most of
which will be invalid.

Once you identify a hacked user, change their password & decline to give
them the new password until they can demonstrate that they've run a full
virus scan on their system.

It is because of issues like this that I keep a 15-minute timer on my
larger mail systems... every 15 minutes, I count how many failed
messages there have been so far today. When the value reaches 100, I
look into it and usually find ONE USER who is responsible for the vast
majority of them, and I immediately suspend that user as described above
(I just change the password).

The problems with your idea of resting on clamav for virus protection
includes:
1) you're assuming clamav is scanning messages from your users -- which
in a stock QMT, it is not. It only scans messages coming in on port 25
received without authentication (e.g. inbound mail, not outbound mail);
2) you're assuming virus infections are spreading as attachments --
usually they are nothing but links... which usually get opened and
infect clients because stupid, lazy users keep their mail clients set to
having a preview pane and to showing html content always... thus, the
swear they didn't OPEN the infecting message -- but their preview pane
sure did!
3) you're assuming you're being blacklisted because of SPAM or virus
contents -- usually you hit the blacklists because you send SPAM to
"honeypot" addresses, or you keep hitting sites over and over again with
invalid addresses (considered fishing).

So, if this started a few days ago, start by extracting the log files,
one day at a time, for the past week.
1) use qmlog to scan ALL available logs (not just the "current" file
2) pipe the output of qmlog into grep and sort out all entries for the
given day (e.g. | grep "^10-31")
3) put the results into a /tmp file (I would use /
4) use the [q]mtrack program I mentioned just earlier today to examine
JUST THAT FILE, and look for messages that have multiple recipients.

I hope this points you in the right direction...

Dan
IT4SOHO
QMT DNS/Mirror Admin

-- 

PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806

CALL TOLL FREE:
  877-IT4SOHO

877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax 

We have support plans for QMail!

Reply via email to