RE: Body checks and warning log
- Original Message
From: mouss [EMAIL PROTECTED]
To: Postfix users postfix-users@postfix.org
Sent: Friday, November 14, 2008 7:58:45 AM
Subject: Re: Body checks and warning log
MacShane, Tracy wrote:
I'm trying to create a very simple body check for a limited time
to
get an indicative idea of how many users may be sending credit
card
numbers via email. ...
Our security people are having wibbles about this logging regime,
so
I was wondering if there was some way to ensure the WARN action
doesn't log the matched line (I can obviously append a truncated
version of the apparent number with the optional text), or if
there
might be a better way to do this auditing task.
you can use HOLD, then have a cron job to check the message and
release it.
Alternatively, you can use FILTER to pass the message to another
smtpd. example:
== body_checks:
//FILTER filter:[127.0.0.1]:25666
== master.cf
127.0.0.1:25666.smtpd
-o syslog_name=postwatch
-o receive_override_options=no_address_mappings
-o mynetworks=127.0.0.1
-o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
...
== main.cf
smtpd666_recipient_restrictions=
check_client_access pcre:/etc/postfix/logcard
permit_mynetworks
reject
== logcard
/./WARN credit card blah blah
note that this will override your content filter setting. if you had
one, then make sure it is used in the :25666 smtpd (either explicit
-o content_filter=...
in master.cf, or a content_filter=... in main.cf will do).
PS. if you use clamav, check its Data Loss Protection feature.
Do you have American Express cards covered and other store
based credit cards? Also do you account for the expiration
date and 3 digit security code?
Thanks for the great suggestions, mouss. We use Trend Micro IMSS, which
is very similar to amavisd. I'm sure we can work around it.
Daniel, I'm not too concerned about absolute accuracy at this stage,
since I just want to assess whether we need to take firmer measures. The
regexp I have should trap Amex numbers, although there may be a number
of false positives. I'll be reviewing them manually in any case. I'm not
worried about the expiration date or security code (with the latter, I
know of at least one example of a pay-by-email form that didn't
require that number at all) - I'm not planning to *use* the cards, heh.
Also, I believe crooks can use a credit card number to generate both an
expiry date and security code using some algorithm.
Re: Body checks and warning log
Daniel Reinhardt
Website: www.cryptodan.com
Email: [EMAIL PROTECTED]
Junior Network Security Engineer
- Original Message
From: mouss [EMAIL PROTECTED]
To: Postfix users postfix-users@postfix.org
Sent: Friday, November 14, 2008 7:58:45 AM
Subject: Re: Body checks and warning log
MacShane, Tracy wrote:
I'm trying to create a very simple body check for a limited time to get
an indicative idea of how many users may be sending credit card numbers
via email. I have a simple pcre body_check map that is logging a warning
when it encounters a match. Unfortunately, the entire message line that
triggers the warning is added to the mail log, naturally with the
potential credit card number in plain text.
cat /etc/postfix/body_checks.pcre
/\b(?:\d[ -]*){13,16}\b/WARN Credit card number
Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning:
body text 1243 1211 1232 1232 blah blah from
localhost.localdomain[127.0.0.1]; from=
to=test.user @
domain.example.com proto=SMTP
helo=: Credit card number
Our security people are having wibbles about this logging regime, so I
was wondering if there was some way to ensure the WARN action doesn't
log the matched line (I can obviously append a truncated version of the
apparent number with the optional text), or if there might be a better
way to do this auditing task.
you can use HOLD, then have a cron job to check the message and release it.
Alternatively, you can use FILTER to pass the message to another smtpd.
example:
== body_checks:
//FILTER filter:[127.0.0.1]:25666
== master.cf
127.0.0.1:25666.smtpd
-o syslog_name=postwatch
-o receive_override_options=no_address_mappings
-o mynetworks=127.0.0.1
-o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
...
== main.cf
smtpd666_recipient_restrictions=
check_client_access pcre:/etc/postfix/logcard
permit_mynetworks
reject
== logcard
/./WARN credit card blah blah
note that this will override your content filter setting. if you had one,
then
make sure it is used in the :25666 smtpd (either explicit -o
content_filter=...
in master.cf, or a content_filter=... in main.cf will do).
PS. if you use clamav, check its Data Loss Protection feature.
Do you have American Express cards covered and other store based credit cards?
Also do you account for the expiration date and 3 digit security code?
Body checks and warning log
I'm trying to create a very simple body check for a limited time to get
an indicative idea of how many users may be sending credit card numbers
via email. I have a simple pcre body_check map that is logging a warning
when it encounters a match. Unfortunately, the entire message line that
triggers the warning is added to the mail log, naturally with the
potential credit card number in plain text.
cat /etc/postfix/body_checks.pcre
/\b(?:\d[ -]*){13,16}\b/WARN Credit card number
Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning:
body text 1243 1211 1232 1232 blah blah from
localhost.localdomain[127.0.0.1]; from=[EMAIL PROTECTED]
to=test.user mailto:[EMAIL PROTECTED] @
mailto:[EMAIL PROTECTED] domain.example.com proto=SMTP
helo=server.example.com: Credit card number
Our security people are having wibbles about this logging regime, so I
was wondering if there was some way to ensure the WARN action doesn't
log the matched line (I can obviously append a truncated version of the
apparent number with the optional text), or if there might be a better
way to do this auditing task.
Re: Body checks and warning log
This is probably a too complex solution but I mention it anyway. In late July there was a discussion here about rewriting the subject line. I'm using an external spam filtering service (Katharion), and if I choose spams to be delivered (rather than quarantined), they're tagged with **SPAM** in front of the original subject. That is ugly, so I wanted to remove it from the subject line and create X-Spam: yes header instead so that the spam mail could be deposited into the original recipient's Spam folder for easy searching for false positives. So... by using smtpprox it is possible to pull each email out of the queue for processing/mangling/investigating before re-injecting it back into the queue. It works for the inbound mail, so perhaps it would work for the outbound as well. That way you could write a small perl routine that would detect a credit card number anywhere in a message, record it in the log (or even in a database), and also make sure that c/c info is not stored in plaintext. It could even be expanded further to prevent the emails containing c/c info from going out and instead returning them to the sender with the c/c starred out and with a warning that c/c info should not be sent via emails. Ville
Re: Body checks and warning log
MacShane, Tracy wrote:
I'm trying to create a very simple body check for a limited time to get
an indicative idea of how many users may be sending credit card numbers
via email. I have a simple pcre body_check map that is logging a warning
when it encounters a match. Unfortunately, the entire message line that
triggers the warning is added to the mail log, naturally with the
potential credit card number in plain text.
cat /etc/postfix/body_checks.pcre
/\b(?:\d[ -]*){13,16}\b/WARN Credit card number
Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning:
body text 1243 1211 1232 1232 blah blah from
localhost.localdomain[127.0.0.1]; from=[EMAIL PROTECTED]
to=test.user mailto:[EMAIL PROTECTED] @
mailto:[EMAIL PROTECTED] domain.example.com proto=SMTP
helo=server.example.com: Credit card number
Our security people are having wibbles about this logging regime, so I
was wondering if there was some way to ensure the WARN action doesn't
log the matched line (I can obviously append a truncated version of the
apparent number with the optional text), or if there might be a better
way to do this auditing task.
you can use HOLD, then have a cron job to check the message and release it.
Alternatively, you can use FILTER to pass the message to another smtpd.
example:
== body_checks:
// FILTER filter:[127.0.0.1]:25666
== master.cf
127.0.0.1:25666 . smtpd
-o syslog_name=postwatch
-o receive_override_options=no_address_mappings
-o mynetworks=127.0.0.1
-o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
...
== main.cf
smtpd666_recipient_restrictions=
check_client_access pcre:/etc/postfix/logcard
permit_mynetworks
reject
== logcard
/./ WARN credit card blah blah
note that this will override your content filter setting. if you had
one, then make sure it is used in the :25666 smtpd (either explicit -o
content_filter=... in master.cf, or a content_filter=... in main.cf will
do).
PS. if you use clamav, check its Data Loss Protection feature.
