Discussion:
final_virus_destiny D_REJECT
(too old to reply)
Mark.Martinec+ (Mark Martinec)
2016-04-26 18:25:27 UTC
Permalink
Hello,
We are setting up Amavis and Clamav to detect credit cards coming
into
our email, and it's working. However, it's returning the original
email to the sender, which also contains the credit card numbers.
Receiving the credit card numbers is bad enough, sending them back
out
again violates PCI. Is there a way to reject the email without
returning the original email content? Below is a returned email with
test numbers as an example.
Thank you,
Rob McKennon
The mail system
<xxxxxxxxxx>: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject,
id=06026-19 - INFECTED: Heuristics.Structured.CreditCardNumber (in
reply to end of DATA command)
Final-Recipient: rfc822;xxxxxxxxxxxxx
Original-Recipient: xxxxxxxxxxxxxx
Action: failed
Status: 5.7.0
Remote-MTA: dns; 127.0.0.1
Heuristics.Structured.CreditCardNumber
This looks like a bounce message from an MTA (not from amavisd).

Preferably you should use a setup where amavisd is invoked
before-queue, so that a D_REJECT will affect the original
client session and no non-delivery notification will be sent.

Alternatively, with postfix you can limit the amount of a message
body that is included in a bounce generated by postfix:


bounce_size_limit (default: 50000)

The maximal amount of original message text that is sent in a
non-delivery notification. Specify a byte count. A message is
returned as either message/rfc822 (the complete original) or
as text/rfc822-headers (the headers only). With Postfix version
2.4 and earlier, a message is always returned as message/rfc822
and is truncated when it exceeds the size limit.



A third option is to use D_BOUNCE as a destiny, so that
the bounce will be generated by amavisd and not by a MTA.
Such bounce will only include message header, no body of
the bounced message.

Of these three options, the only recommended one is to use
amavisd in a before-queue setup and reject unwanted messages
while they are being received.

Mark
Rob McKennon
2016-04-27 19:34:36 UTC
Permalink
Post by Mark.Martinec+ (Mark Martinec)
Hello,
We are setting up Amavis and Clamav to detect credit cards coming into
our email, and it's working. However, it's returning the original
email to the sender, which also contains the credit card numbers.
Receiving the credit card numbers is bad enough, sending them back out
again violates PCI. Is there a way to reject the email without
returning the original email content? Below is a returned email with
test numbers as an example.
Thank you,
Rob McKennon
The mail system
<xxxxxxxxxx>: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject,
id=06026-19 - INFECTED: Heuristics.Structured.CreditCardNumber (in
reply to end of DATA command)
Final-Recipient: rfc822;xxxxxxxxxxxxx
Original-Recipient: xxxxxxxxxxxxxx
Action: failed
Status: 5.7.0
Remote-MTA: dns; 127.0.0.1
Heuristics.Structured.CreditCardNumber
This looks like a bounce message from an MTA (not from amavisd).
Preferably you should use a setup where amavisd is invoked
before-queue, so that a D_REJECT will affect the original
client session and no non-delivery notification will be sent.
Alternatively, with postfix you can limit the amount of a message
bounce_size_limit (default: 50000)
The maximal amount of original message text that is sent in a
non-delivery notification. Specify a byte count. A message is
returned as either message/rfc822 (the complete original) or
as text/rfc822-headers (the headers only). With Postfix version
2.4 and earlier, a message is always returned as message/rfc822
and is truncated when it exceeds the size limit.
A third option is to use D_BOUNCE as a destiny, so that
the bounce will be generated by amavisd and not by a MTA.
Such bounce will only include message header, no body of
the bounced message.
Of these three options, the only recommended one is to use
amavisd in a before-queue setup and reject unwanted messages
while they are being received.
Mark
Thanx Mark,

We decided to go with the bounce_size_limit = 1 . This way a bounce is
sent back so the sender knows they messed up, but does not send the
credit-card numbers back out.

We also found that it has alot of false positives, for which we have
sent in bug fixes.

Have a great day!

Rob.

Loading...