Verwendung und Konfiguration - ZID
Transcription
Verwendung und Konfiguration - ZID
Zentraler Informatikdienst der TU Wien Verwendung und Konfiguration Blockierung Empfänger-Alarmierung Absender-Alarmierung Absender-Alarmierung wegen Header/Body-Syntax Blockierung Für die von außerhalb der TU empfangenden Mailserver (Mailbastion, Incoming Mailrouter) werden virenbehaftete E-Mails durch Blockierung auf SMTP- (Simple Mail Transfer Protocol) Ebene abgewiesen. Im Falle der Incoming Mailrouter, also bei Empfängern der Maildomains @tuwien.ac.at, @student.tuwien.ac.at und @alumni.tuwien.ac.at auch innerhalb des TUNETs! Beim Mailserver, der versucht hat diese E-Mail an die TU zu senden, wird eine Fehlernachricht generiert (Bounce mail), die dem Absender retourniert wird. Im folgenden ist ein Beispiel einer solchen (exemplarisch durch den Mail Transfer Agent Sendmail generierten) Retour-E-Mail. Dabei gilt Folgendes: der Absender: [email protected] der Mailserver des Absenders: mail.somewhere.at Bounce-E-Mail Absender: [email protected] der Empänger: [email protected] der Mailserver des Empfängers (Mailbastionsrechner): tuvok.kom.tuwien.ac.at Date: Thu, 6 Nov 2003 17:16:09 +0100 From: Mail Delivery Subsystem To: [email protected] Subject: Returned mail: Service unavailable Auto-Submitted: auto-generated (failure) [-- Attachment #1 --] [-- Type: text/plain, Encoding: 7bit, Size: 0.3K --] The original message was received at Thu, 6 Nov 2003 17:16:02 +0100 from User@localhost ----- The following addresses had permanent fatal errors [email protected] ----- Transcript of session follows ----... while talking to tuvok.kom.tuwien.ac.at.: >>> DATA <<< 554 5.7.1 mail rejected - contains virus or worm signs oder <<< 554 5.7.1 mail rejected - contains virus or worm signs 554 [email protected]... Service unavailable http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/? filename=Verwendung%20und%20Konfiguration.pdf 16 Jan 2017 01:02:41 1/7 [-- Attachment #2 --] [-- Type: message/delivery-status, Encoding: 7bit, Size: 0.3K --] Reporting-MTA: dns; mail.somewhere.at Arrival-Date: Thu, 6 Nov 2003 17:16:02 +0100 Final-Recipient: RFC822; [email protected] Action: failed Status: 5.0.0 Remote-MTA: DNS; tuvok.kom.tuwien.ac.at. Diagnostic-Code: SMTP; 554 5.7.1 mail rejected - contains virus or worm signs Last-Attempt-Date: Thu, 6 Nov 2003 17:16:09 +0100 [-- Attachment #3 --] [-- Type: message/rfc822, Encoding: 7bit, Size: 88K --] From: [email protected] To: <[email protected]> Subject: Re: Movies Date: Sat, 11 Jan 2003 9:51:09 --0500 Importance: Normal X-Priority: 3 (Normal) [-- Attachment #1 --] [-- Type: text/plain, Encoding: 7bit, Size: 0.1K --] Attached file: [-- Attachment #2: Sample.pif --] [-- Type: application/octet-stream, Encoding: base64, Size: 86K --] [-- application/octet-stream is unsupported (use 'v' to view this part) --] Empfänger-Alarmierung Bei Empfang von Viren, werden dem Empfänger unter gewissen Umständen Alarmierungs-Mails zugestellt, die z.B. wie folgt aussehen (exemplarisches Beispiel, mit Kommentaren in roter Farbe). Hinweis: Die Empfänger-Alarmierungen treten derzeit im realen Betrieb nicht auf. From: [email protected] To: [email protected] <-- Empängeradresse, an die die Virusmail gerichtet war! Subject: VIRUS IN MAIL FOR YOU FROM <[email protected]> <-(vorgegebene) Absenderadresse - oftmals gefälscht/missbraucht! Date: Fri, 19 Sep 2003 09:05:07 +0200 X-Mailer: Internet Mail Service (5.5.2656.59) X-MS-Embedded-Report: V I R U S A L E R T Our viruschecker found the W32/Swen@MM <-- eine oder mehrere Virenbezeichnungen http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/? filename=Verwendung%20und%20Konfiguration.pdf 16 Jan 2017 01:02:41 2/7 virus(es) in an email to you from: <[email protected]> <-- Absenderadresse - oftmals gefälscht (siehe Subject:)! Delivery of the email was stopped! Please contact your system administrator for details. For your reference, here are the headers from the email: ------------------------- BEGIN HEADERS ----------------------------Received: from ([193.154.160.152]) <-- einzig verlässliche Information: der absendende Host! by tuvok.kom.tuwien.ac.at (via amavis-milter) id h8J74sme003236; Fri, 19 Sep 2003 09:05:05 (CEST) Received: from wgow (dialup147.d1-Spl1.Spln.AT.KPNQwest.net [193.81.54.147]) <-kann gefälscht sein, via Nameservice auf Plausibilität prüfen! by laweleka.austria.eu.net (8.12.9/8.12.1) with SMTP id h8J74Nab021183; Fri, 19 Sep 2003 09:04:33 +0200 (MEST) Date: Fri, 19 Sep 2003 09:04:23 +0200 (MEST) Message-Id: <[email protected]> FROM: "Microsoft Public Assistance" <[email protected]> <-- oftmals gefälschte Information! TO: " " <[email protected]> <-- oftmals gefälschte Information - wird nicht für die Zustellung verwendet! SUBJECT: Last Network Security Update Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="txwsxmnkprqebabjw" -------------------------- END HEADERS ------------------------------ Absender-Alarmierung Als Absender einer virenbehafteten E-Mail - sofern die E-Mail tatsächlich (wissentlich) verschickt wurde - erhält man abhängig davon, welcher Server die E-Mail abgefangen hat, folgende Alarmierung (exemplarisches Beispiel): Benachrichtigung an Absender [email protected], dessen E-Mail an [email protected] abgefangen wurde ... From [email protected] Thu Nov 6 18:32:19 2008 Return-Path: [email protected] X-Connecting-Host: mr1-n.kom.tuwien.ac.at [128.130.2.109] X-Connecting-Addr: 128.130.2.109 X-Sent-To: <[email protected]> Received: from vc6.kom.tuwien.ac.at (vc6-v.kom.tuwien.ac.at [192.168.3.16]) by mr.tuwien.ac.at (8.13.7/8.13.7) with ESMTP id mA6HWEAF001591 for <[email protected]>; Thu, 6 Nov 2008 18:32:14 +0100 (MET) Received: from localhost (localhost [127.0.0.1]) by vc6.kom.tuwien.ac.at (8.13.7/8.13.7) with ESMTP id mA6HWEt3013882 for <[email protected]>; Thu, 6 Nov 2008 18:32:14 +0100 Content-Type: multipart/report; report-type=delivery-status; boundary="----------=_1225992733-13762-1" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Subject: VIRUS in message apparently from you (Eicar-Test-Signature) From: "Content-filter at vc6.kom.tuwien.ac.at" <[email protected]> To: [email protected] Date: Thu, 6 Nov 2008 18:32:05 +0100 (CET) http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/? filename=Verwendung%20und%20Konfiguration.pdf 16 Jan 2017 01:02:41 3/7 [-- Attachment #1 --] [-- Type: text/plain, Encoding: 7bit, Size: 0.6K --] VIRUS ALERT Our content checker found virus: Eicar-Test-Signature in email presumably from you <[email protected]> to the following recipient: -> [email protected] Our internal reference code for your message is mA6HW2RO017468/uGKW7rvdhVph According to a 'Received:' trace, the message originated at: [128.131.34.74], t.t (tron1.kom.tuwien.ac.at [128.131.34.74]) Return-Path: <[email protected]> Subject: Virus EICAR test Delivery of the email was stopped! Please check your system for viruses, or ask your system administrator to do so. [-- Attachment #2: Delivery error report --] [-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --] Reporting-MTA: dns; vc6.kom.tuwien.ac.at Arrival-Date: Thu, 6 Nov 2008 18:32:05 +0100 (CET) Original-Recipient: rfc822;[email protected] Final-Recipient: rfc822;[email protected] Action: failed Status: 5.7.0 Diagnostic-Code: smtp; 554-5.7.0 Reject, id=mA6HW2RO017468 - VIRUS: 554 5.7.0 Eicar-Test-Signature Last-Attempt-Date: Thu, 6 Nov 2008 18:32:05 +0100 (CET) [-- Attachment #3: Message headers --] [-- Type: text/rfc822-headers, Encoding: 7bit, Size: 0.3K --] Return-Path: <[email protected]> Received: from t.t (tron1.kom.tuwien.ac.at [128.131.34.74]) by mr.tuwien.ac.at (amavis-milter) id mA6HW2RO017468; Thu, From: [email protected] Date: Wed, 5 Nov 2008 12:01:09 +0100 (MET) Subject: Virus EICAR test 6 Nov 2008 18:32:03 +0100 [..] Absender-Alarmierung wegen Header/Body-Syntax Im Falle von Überprüfungen der RFC-Konformität des Headers und der MIME-Struktur im Body einer Nachricht, für ausgehende Mails via mr.tuwien.ac.at, gibt es eine Reihe unterschiedlicher Meldungsvarianten. Hier eine Auswahl von typischen Meldungen, die in einem None Delivery Report an den Absender zurückgeschickt werden: INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/? filename=Verwendung%20und%20Konfiguration.pdf 16 Jan 2017 01:02:41 4/7 MIME error: error: multipart boundary is missing, or contains CR or LF INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE MIME error: error: illegal encoding [quoted-printable] for MIME type message/rfc822 INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE MIME error: error: illegal encoding [base64] for MIME type message/rfc822 INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE MIME error: error: part did not end with expected boundary INVALID HEADER: FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE Improper folded header field made up entirely of whitespace: Subject: ... \n \n Return-Path: <[email protected]> Subject: zzz IMPROPER FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE The RFC 2822 standard specifies rules for forming internet messages. In section '3.2.3. Folding white space and comments' it explicitly prohibits folding of header fields in such a way that any line of a folded header field is made up entirely of white-space characters (control characters SP and HTAB) and nothing else. INVALID HEADER: FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE Non-encoded 8-bit data (char E4 hex): Date: ...8 09:26:00 +0100 (Westeurop\344ische Normalzeit)\n Improper folded header field made up entirely of whitespace (char 09 hex): Subject: =?iso-8859-1?B?QmV0cmVmZjogc/ZsZGVu?=\n\t\n Return-Path: <[email protected]> Message-ID: <4917F017.000003.02420@ALM> Subject: =?iso-8859-1?B?QmV0cmVmZjogc/ZsZGVu?= IMPROPER FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE The RFC 2822 standard specifies rules for forming internet messages. In section '3.2.3. Folding white space and comments' it explicitly prohibits folding of header fields in such a way that any line of a folded header field is made up entirely of white-space characters (control characters SP and HTAB) and nothing else. INVALID HEADER: INVALID CONTROL CHARACTERS IN HEADER Improper use of control character (char 0D hex): Subject: ...ation_der_deutschen_Fassu?=\r =?utf-8?Q?ng... Return-Path: <[email protected]> Message-ID: <[email protected]> Subject: Return Receipt (displayed) - http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/? filename=Verwendung%20und%20Konfiguration.pdf 16 Jan 2017 01:02:41 5/7 =?utf-8?Q?Re:_[Fwd:_Pr=C3=A4sentation_der_deutschen_Fassu?=\015 =?utf-8?Q?ng?= IMPROPER USE OF CONTROL CHARACTER IN MESSAGE HEADER The RFC 2822 standard specifies rules for forming internet messages. It does not allow the use of control characters NUL and bare CR to be used directly in mail header. Eine exemplarische, vollständige None Delivery Report E-Mail an den Absender [email protected], wobei Empfänger [email protected] die Nachricht nicht erhalten hat: Subject: Mail rejected: bad formated mail, invalid header: all-whitespace header field From: "Content-filter at vc6.kom.tuwien.ac.at" <[email protected]> To: [email protected] Date: Wed, 22 Apr 2009 09:22:49 +0200 (CEST) [-- Attachment #1 --] [-- Type: text/plain, Encoding: 7bit, Size: 1.1K --] ******* AN ERROR OCCURED! ********* Your message WAS *NOT* DELIVERED to: <[email protected]> This non delivery report was generated by the program amavisd-new at host vc6.kom.tuwien.ac.at. Our internal reference code for your message is n3M7MmoM000004/RMS-b12kvT0i INVALID HEADER: FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE Non-encoded 8-bit data (char E4 hex): Date: ...9 09:22:46 +0200 (Westeurop\344ische Sommerzeit)\n Improper folded header field made up entirely of whitespace (char 09 hex): Subject: ...8859-1?B?QmV0cmVmZjog1ldBVyBNYW51c2tyaXB0?=\n\t\n Return-Path: <[email protected]> Message-ID: <49EEC5C6.000003.05568@XXX> Subject: =?ISO-8859-1?B?QmV0cmVmZjog1ldBVyBNYW51c2tyaXB0?= IMPROPER FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE The RFC 2822 standard specifies rules for forming internet messages. In section '3.2.3. Folding white space and comments' it explicitly prohibits folding of header fields in such a way that any line of a folded header field is made up entirely of white-space characters (control characters SP and HTAB) and nothing else. [-- Attachment #2: Delivery error report --] [-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --] Reporting-MTA: dns; vc6.kom.tuwien.ac.at Arrival-Date: Wed, 22 Apr 2009 09:22:49 +0200 (CEST) Original-Recipient: rfc822;[email protected] Final-Recipient: rfc822;[email protected] Action: failed Status: 5.6.0 Diagnostic-Code: smtp; 554-5.6.0 Reject, id=n3M7MmoM000004 - BAD_HEADER: 554-5.6.0 Non-encoded 8-bit data (char E4 hex): Date: ...9 09:22:46 +0200 554 5.6.0 (Westeurop\344ische Somm... http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/? filename=Verwendung%20und%20Konfiguration.pdf 16 Jan 2017 01:02:41 6/7 Last-Attempt-Date: Wed, 22 Apr 2009 09:22:49 +0200 (CEST) [-- Attachment #3: Message headers --] [-- Type: text/rfc822-headers, Encoding: quoted-printable, Size: 0.7K --] Return-Path: <[email protected]> Received: from XXX (a.y.tuwien.ac.at [128.130.114.23]) by mr.tuwien.ac.at (amavis-milter) id n3M7MmoM000004; Wed, 22 Apr 2009 09:22:49 +0200 MIME-Version: 1.0 Message-Id: <49EEC5C6.000003.05568@XXX> Date: Wed, 22 Apr 2009 09:22:46 +0200 (Westeuropäische Sommerzeit) Content-Type: Multipart/Alternative; charset="ISO-8859-1"; boundary="------------Boundary-00=_Y5RHG6G0000000000000" X-Mailer: IncrediMail (5853806) From: "Mr. X" <[email protected]> References: <[email protected]> X-FID: FLAVOR00-NONE-0000-0000-000000000000 X-Priority: 3 To: "Mr. A" Subject: =?ISO-8859-1?B?QmV0cmVmZjog1ldBVyBNYW51c2tyaXB0?= http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/? filename=Verwendung%20und%20Konfiguration.pdf 16 Jan 2017 01:02:41 7/7