RE: Body checks and warning log
- Original Message From: mouss [EMAIL PROTECTED] To: Postfix users postfix-users@postfix.org Sent: Friday, November 14, 2008 7:58:45 AM Subject: Re: Body checks and warning log MacShane, Tracy wrote: I'm trying to create a very simple body check for a limited time to get an indicative idea of how many users may be sending credit card numbers via email. ... Our security people are having wibbles about this logging regime, so I was wondering if there was some way to ensure the WARN action doesn't log the matched line (I can obviously append a truncated version of the apparent number with the optional text), or if there might be a better way to do this auditing task. you can use HOLD, then have a cron job to check the message and release it. Alternatively, you can use FILTER to pass the message to another smtpd. example: == body_checks: //FILTER filter:[127.0.0.1]:25666 == master.cf 127.0.0.1:25666.smtpd -o syslog_name=postwatch -o receive_override_options=no_address_mappings -o mynetworks=127.0.0.1 -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions} ... == main.cf smtpd666_recipient_restrictions= check_client_access pcre:/etc/postfix/logcard permit_mynetworks reject == logcard /./WARN credit card blah blah note that this will override your content filter setting. if you had one, then make sure it is used in the :25666 smtpd (either explicit -o content_filter=... in master.cf, or a content_filter=... in main.cf will do). PS. if you use clamav, check its Data Loss Protection feature. Do you have American Express cards covered and other store based credit cards? Also do you account for the expiration date and 3 digit security code? Thanks for the great suggestions, mouss. We use Trend Micro IMSS, which is very similar to amavisd. I'm sure we can work around it. Daniel, I'm not too concerned about absolute accuracy at this stage, since I just want to assess whether we need to take firmer measures. The regexp I have should trap Amex numbers, although there may be a number of false positives. I'll be reviewing them manually in any case. I'm not worried about the expiration date or security code (with the latter, I know of at least one example of a pay-by-email form that didn't require that number at all) - I'm not planning to *use* the cards, heh. Also, I believe crooks can use a credit card number to generate both an expiry date and security code using some algorithm.
Re: Body checks and warning log
Daniel Reinhardt Website: www.cryptodan.com Email: [EMAIL PROTECTED] Junior Network Security Engineer - Original Message From: mouss [EMAIL PROTECTED] To: Postfix users postfix-users@postfix.org Sent: Friday, November 14, 2008 7:58:45 AM Subject: Re: Body checks and warning log MacShane, Tracy wrote: I'm trying to create a very simple body check for a limited time to get an indicative idea of how many users may be sending credit card numbers via email. I have a simple pcre body_check map that is logging a warning when it encounters a match. Unfortunately, the entire message line that triggers the warning is added to the mail log, naturally with the potential credit card number in plain text. cat /etc/postfix/body_checks.pcre /\b(?:\d[ -]*){13,16}\b/WARN Credit card number Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning: body text 1243 1211 1232 1232 blah blah from localhost.localdomain[127.0.0.1]; from= to=test.user @ domain.example.com proto=SMTP helo=: Credit card number Our security people are having wibbles about this logging regime, so I was wondering if there was some way to ensure the WARN action doesn't log the matched line (I can obviously append a truncated version of the apparent number with the optional text), or if there might be a better way to do this auditing task. you can use HOLD, then have a cron job to check the message and release it. Alternatively, you can use FILTER to pass the message to another smtpd. example: == body_checks: //FILTER filter:[127.0.0.1]:25666 == master.cf 127.0.0.1:25666.smtpd -o syslog_name=postwatch -o receive_override_options=no_address_mappings -o mynetworks=127.0.0.1 -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions} ... == main.cf smtpd666_recipient_restrictions= check_client_access pcre:/etc/postfix/logcard permit_mynetworks reject == logcard /./WARN credit card blah blah note that this will override your content filter setting. if you had one, then make sure it is used in the :25666 smtpd (either explicit -o content_filter=... in master.cf, or a content_filter=... in main.cf will do). PS. if you use clamav, check its Data Loss Protection feature. Do you have American Express cards covered and other store based credit cards? Also do you account for the expiration date and 3 digit security code?
Body checks and warning log
I'm trying to create a very simple body check for a limited time to get an indicative idea of how many users may be sending credit card numbers via email. I have a simple pcre body_check map that is logging a warning when it encounters a match. Unfortunately, the entire message line that triggers the warning is added to the mail log, naturally with the potential credit card number in plain text. cat /etc/postfix/body_checks.pcre /\b(?:\d[ -]*){13,16}\b/WARN Credit card number Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning: body text 1243 1211 1232 1232 blah blah from localhost.localdomain[127.0.0.1]; from=[EMAIL PROTECTED] to=test.user mailto:[EMAIL PROTECTED] @ mailto:[EMAIL PROTECTED] domain.example.com proto=SMTP helo=server.example.com: Credit card number Our security people are having wibbles about this logging regime, so I was wondering if there was some way to ensure the WARN action doesn't log the matched line (I can obviously append a truncated version of the apparent number with the optional text), or if there might be a better way to do this auditing task.
Re: Body checks and warning log
This is probably a too complex solution but I mention it anyway. In late July there was a discussion here about rewriting the subject line. I'm using an external spam filtering service (Katharion), and if I choose spams to be delivered (rather than quarantined), they're tagged with **SPAM** in front of the original subject. That is ugly, so I wanted to remove it from the subject line and create X-Spam: yes header instead so that the spam mail could be deposited into the original recipient's Spam folder for easy searching for false positives. So... by using smtpprox it is possible to pull each email out of the queue for processing/mangling/investigating before re-injecting it back into the queue. It works for the inbound mail, so perhaps it would work for the outbound as well. That way you could write a small perl routine that would detect a credit card number anywhere in a message, record it in the log (or even in a database), and also make sure that c/c info is not stored in plaintext. It could even be expanded further to prevent the emails containing c/c info from going out and instead returning them to the sender with the c/c starred out and with a warning that c/c info should not be sent via emails. Ville
Re: Body checks and warning log
MacShane, Tracy wrote: I'm trying to create a very simple body check for a limited time to get an indicative idea of how many users may be sending credit card numbers via email. I have a simple pcre body_check map that is logging a warning when it encounters a match. Unfortunately, the entire message line that triggers the warning is added to the mail log, naturally with the potential credit card number in plain text. cat /etc/postfix/body_checks.pcre /\b(?:\d[ -]*){13,16}\b/WARN Credit card number Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning: body text 1243 1211 1232 1232 blah blah from localhost.localdomain[127.0.0.1]; from=[EMAIL PROTECTED] to=test.user mailto:[EMAIL PROTECTED] @ mailto:[EMAIL PROTECTED] domain.example.com proto=SMTP helo=server.example.com: Credit card number Our security people are having wibbles about this logging regime, so I was wondering if there was some way to ensure the WARN action doesn't log the matched line (I can obviously append a truncated version of the apparent number with the optional text), or if there might be a better way to do this auditing task. you can use HOLD, then have a cron job to check the message and release it. Alternatively, you can use FILTER to pass the message to another smtpd. example: == body_checks: // FILTER filter:[127.0.0.1]:25666 == master.cf 127.0.0.1:25666 . smtpd -o syslog_name=postwatch -o receive_override_options=no_address_mappings -o mynetworks=127.0.0.1 -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions} ... == main.cf smtpd666_recipient_restrictions= check_client_access pcre:/etc/postfix/logcard permit_mynetworks reject == logcard /./ WARN credit card blah blah note that this will override your content filter setting. if you had one, then make sure it is used in the :25666 smtpd (either explicit -o content_filter=... in master.cf, or a content_filter=... in main.cf will do). PS. if you use clamav, check its Data Loss Protection feature.