Verwendung und Konfiguration - ZID

Transcription

Verwendung und Konfiguration - ZID
Zentraler Informatikdienst der TU Wien
Verwendung und Konfiguration
Blockierung
Empfänger-Alarmierung
Absender-Alarmierung
Absender-Alarmierung wegen Header/Body-Syntax
Blockierung
Für die von außerhalb der TU empfangenden Mailserver (Mailbastion, Incoming Mailrouter) werden virenbehaftete E-Mails durch
Blockierung auf SMTP- (Simple Mail Transfer Protocol) Ebene abgewiesen.
Im Falle der Incoming Mailrouter, also bei Empfängern der Maildomains @tuwien.ac.at, @student.tuwien.ac.at und @alumni.tuwien.ac.at
auch innerhalb des TUNETs! Beim Mailserver, der versucht hat diese E-Mail an die TU zu senden, wird eine Fehlernachricht generiert
(Bounce mail), die dem Absender retourniert wird.
Im folgenden ist ein Beispiel einer solchen (exemplarisch durch den Mail Transfer Agent Sendmail generierten) Retour-E-Mail. Dabei gilt
Folgendes:
der Absender:
[email protected]
der Mailserver des Absenders:
mail.somewhere.at
Bounce-E-Mail Absender:
[email protected]
der Empänger:
[email protected]
der Mailserver des Empfängers
(Mailbastionsrechner):
tuvok.kom.tuwien.ac.at
Date: Thu, 6 Nov 2003 17:16:09 +0100
From: Mail Delivery Subsystem
To: [email protected]
Subject: Returned mail: Service unavailable
Auto-Submitted: auto-generated (failure)
[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.3K --]
The original message was received at Thu, 6 Nov 2003 17:16:02 +0100
from User@localhost
----- The following addresses had permanent fatal errors [email protected]
----- Transcript of session follows ----... while talking to tuvok.kom.tuwien.ac.at.:
>>> DATA
<<< 554 5.7.1 mail rejected - contains virus or worm signs
oder
<<< 554 5.7.1 mail rejected - contains virus or worm signs
554 [email protected]... Service unavailable
http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/?
filename=Verwendung%20und%20Konfiguration.pdf
16 Jan 2017 01:02:41
1/7
[-- Attachment #2 --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.3K --]
Reporting-MTA: dns; mail.somewhere.at
Arrival-Date: Thu, 6 Nov 2003 17:16:02 +0100
Final-Recipient: RFC822; [email protected]
Action: failed
Status: 5.0.0
Remote-MTA: DNS; tuvok.kom.tuwien.ac.at.
Diagnostic-Code: SMTP; 554 5.7.1 mail rejected - contains virus or worm signs
Last-Attempt-Date: Thu, 6 Nov 2003 17:16:09 +0100
[-- Attachment #3 --]
[-- Type: message/rfc822, Encoding: 7bit, Size: 88K --]
From: [email protected]
To: <[email protected]>
Subject: Re: Movies
Date: Sat, 11 Jan 2003 9:51:09 --0500
Importance: Normal
X-Priority: 3 (Normal)
[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]
Attached file:
[-- Attachment #2: Sample.pif --]
[-- Type: application/octet-stream, Encoding: base64, Size: 86K --]
[-- application/octet-stream is unsupported (use 'v' to view this part) --]
Empfänger-Alarmierung
Bei Empfang von Viren, werden dem Empfänger unter gewissen Umständen Alarmierungs-Mails zugestellt, die z.B. wie folgt aussehen
(exemplarisches Beispiel, mit Kommentaren in roter Farbe).
Hinweis: Die Empfänger-Alarmierungen treten derzeit im realen Betrieb nicht auf.
From: [email protected]
To: [email protected] <-- Empängeradresse, an die die Virusmail gerichtet war!
Subject: VIRUS IN MAIL FOR YOU FROM <[email protected]> <-(vorgegebene) Absenderadresse - oftmals gefälscht/missbraucht!
Date: Fri, 19 Sep 2003 09:05:07 +0200
X-Mailer: Internet Mail Service (5.5.2656.59)
X-MS-Embedded-Report:
V I R U S
A L E R T
Our viruschecker found the
W32/Swen@MM <-- eine oder mehrere Virenbezeichnungen
http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/?
filename=Verwendung%20und%20Konfiguration.pdf
16 Jan 2017 01:02:41
2/7
virus(es) in an email to you from:
<[email protected]> <-- Absenderadresse - oftmals gefälscht (siehe Subject:)!
Delivery of the email was stopped!
Please contact your system administrator for details.
For your reference, here are the headers from the email:
------------------------- BEGIN HEADERS ----------------------------Received: from ([193.154.160.152]) <-- einzig verlässliche Information: der absendende Host!
by tuvok.kom.tuwien.ac.at (via amavis-milter) id h8J74sme003236;
Fri, 19 Sep 2003 09:05:05 (CEST)
Received: from wgow (dialup147.d1-Spl1.Spln.AT.KPNQwest.net [193.81.54.147]) <-kann gefälscht sein, via Nameservice auf Plausibilität prüfen!
by laweleka.austria.eu.net (8.12.9/8.12.1) with SMTP id
h8J74Nab021183;
Fri, 19 Sep 2003 09:04:33 +0200 (MEST)
Date: Fri, 19 Sep 2003 09:04:23 +0200 (MEST)
Message-Id: <[email protected]>
FROM: "Microsoft Public Assistance" <[email protected]> <-- oftmals
gefälschte Information!
TO: " " <[email protected]> <-- oftmals gefälschte Information - wird nicht für die
Zustellung verwendet!
SUBJECT: Last Network Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="txwsxmnkprqebabjw"
-------------------------- END HEADERS ------------------------------
Absender-Alarmierung
Als Absender einer virenbehafteten E-Mail - sofern die E-Mail tatsächlich (wissentlich) verschickt wurde - erhält man abhängig davon,
welcher Server die E-Mail abgefangen hat, folgende Alarmierung (exemplarisches Beispiel):
Benachrichtigung an Absender [email protected], dessen E-Mail an [email protected] abgefangen wurde ...
From [email protected] Thu Nov 6 18:32:19 2008
Return-Path: [email protected]
X-Connecting-Host: mr1-n.kom.tuwien.ac.at [128.130.2.109]
X-Connecting-Addr: 128.130.2.109
X-Sent-To: <[email protected]>
Received: from vc6.kom.tuwien.ac.at (vc6-v.kom.tuwien.ac.at [192.168.3.16])
by mr.tuwien.ac.at (8.13.7/8.13.7) with ESMTP id mA6HWEAF001591
for <[email protected]>; Thu, 6 Nov 2008 18:32:14 +0100 (MET)
Received: from localhost (localhost [127.0.0.1])
by vc6.kom.tuwien.ac.at (8.13.7/8.13.7) with ESMTP id mA6HWEt3013882
for <[email protected]>; Thu, 6 Nov 2008 18:32:14 +0100
Content-Type: multipart/report; report-type=delivery-status;
boundary="----------=_1225992733-13762-1"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Subject: VIRUS in message apparently from you (Eicar-Test-Signature)
From: "Content-filter at vc6.kom.tuwien.ac.at" <[email protected]>
To: [email protected]
Date: Thu, 6 Nov 2008 18:32:05 +0100 (CET)
http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/?
filename=Verwendung%20und%20Konfiguration.pdf
16 Jan 2017 01:02:41
3/7
[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.6K --]
VIRUS ALERT
Our content checker found
virus: Eicar-Test-Signature
in email presumably from you <[email protected]>
to the following recipient:
-> [email protected]
Our internal reference code for your message is mA6HW2RO017468/uGKW7rvdhVph
According to a 'Received:' trace, the message originated at: [128.131.34.74],
t.t (tron1.kom.tuwien.ac.at [128.131.34.74])
Return-Path: <[email protected]>
Subject: Virus EICAR test
Delivery of the email was stopped!
Please check your system for viruses,
or ask your system administrator to do so.
[-- Attachment #2: Delivery error report --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --]
Reporting-MTA: dns; vc6.kom.tuwien.ac.at
Arrival-Date: Thu, 6 Nov 2008 18:32:05 +0100 (CET)
Original-Recipient: rfc822;[email protected]
Final-Recipient: rfc822;[email protected]
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554-5.7.0 Reject, id=mA6HW2RO017468 - VIRUS:
554 5.7.0 Eicar-Test-Signature
Last-Attempt-Date: Thu, 6 Nov 2008 18:32:05 +0100 (CET)
[-- Attachment #3: Message headers --]
[-- Type: text/rfc822-headers, Encoding: 7bit, Size: 0.3K --]
Return-Path: <[email protected]>
Received: from t.t (tron1.kom.tuwien.ac.at [128.131.34.74])
by mr.tuwien.ac.at (amavis-milter) id mA6HW2RO017468; Thu,
From: [email protected]
Date: Wed, 5 Nov 2008 12:01:09 +0100 (MET)
Subject: Virus EICAR test
6 Nov 2008 18:32:03 +0100
[..]
Absender-Alarmierung wegen Header/Body-Syntax
Im Falle von Überprüfungen der RFC-Konformität des Headers und der MIME-Struktur im Body einer Nachricht, für ausgehende Mails via
mr.tuwien.ac.at, gibt es eine Reihe unterschiedlicher Meldungsvarianten. Hier eine Auswahl von typischen Meldungen, die in einem
None Delivery Report an den Absender zurückgeschickt werden:
INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE
http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/?
filename=Verwendung%20und%20Konfiguration.pdf
16 Jan 2017 01:02:41
4/7
MIME error: error: multipart boundary is missing, or contains CR or LF
INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE
MIME error: error: illegal encoding [quoted-printable] for MIME type
message/rfc822
INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE
MIME error: error: illegal encoding [base64] for MIME type message/rfc822
INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE
MIME error: error: part did not end with expected boundary
INVALID HEADER: FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE
Improper folded header field made up entirely of whitespace: Subject: ...
\n
\n
Return-Path: <[email protected]>
Subject: zzz
IMPROPER FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE
The RFC 2822 standard specifies rules for forming internet messages.
In section '3.2.3. Folding white space and comments' it explicitly
prohibits folding of header fields in such a way that any line of a
folded header field is made up entirely of white-space characters
(control characters SP and HTAB) and nothing else.
INVALID HEADER: FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE
Non-encoded 8-bit data (char E4 hex): Date: ...8 09:26:00 +0100
(Westeurop\344ische Normalzeit)\n
Improper folded header field made up entirely of whitespace (char 09 hex):
Subject: =?iso-8859-1?B?QmV0cmVmZjogc/ZsZGVu?=\n\t\n
Return-Path: <[email protected]>
Message-ID: <4917F017.000003.02420@ALM>
Subject: =?iso-8859-1?B?QmV0cmVmZjogc/ZsZGVu?=
IMPROPER FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE
The RFC 2822 standard specifies rules for forming internet messages.
In section '3.2.3. Folding white space and comments' it explicitly
prohibits folding of header fields in such a way that any line of a
folded header field is made up entirely of white-space characters
(control characters SP and HTAB) and nothing else.
INVALID HEADER: INVALID CONTROL CHARACTERS IN HEADER
Improper use of control character (char 0D hex): Subject:
...ation_der_deutschen_Fassu?=\r =?utf-8?Q?ng...
Return-Path: <[email protected]>
Message-ID: <[email protected]>
Subject: Return Receipt (displayed) -
http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/?
filename=Verwendung%20und%20Konfiguration.pdf
16 Jan 2017 01:02:41
5/7
=?utf-8?Q?Re:_[Fwd:_Pr=C3=A4sentation_der_deutschen_Fassu?=\015
=?utf-8?Q?ng?=
IMPROPER USE OF CONTROL CHARACTER IN MESSAGE HEADER
The RFC 2822 standard specifies rules for forming internet messages.
It does not allow the use of control characters NUL and bare CR
to be used directly in mail header.
Eine exemplarische, vollständige None Delivery Report E-Mail an den Absender [email protected], wobei Empfänger [email protected]
die Nachricht nicht erhalten hat:
Subject: Mail rejected: bad formated mail, invalid header: all-whitespace
header field
From: "Content-filter at vc6.kom.tuwien.ac.at" <[email protected]>
To: [email protected]
Date: Wed, 22 Apr 2009 09:22:49 +0200 (CEST)
[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 1.1K --]
******* AN ERROR OCCURED! *********
Your message WAS *NOT* DELIVERED to:
<[email protected]>
This non delivery report was generated by the program amavisd-new at host
vc6.kom.tuwien.ac.at. Our internal reference code for your message is
n3M7MmoM000004/RMS-b12kvT0i
INVALID HEADER: FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE
Non-encoded 8-bit data (char E4 hex): Date: ...9 09:22:46 +0200
(Westeurop\344ische Sommerzeit)\n
Improper folded header field made up entirely of whitespace (char 09 hex):
Subject: ...8859-1?B?QmV0cmVmZjog1ldBVyBNYW51c2tyaXB0?=\n\t\n
Return-Path: <[email protected]>
Message-ID: <49EEC5C6.000003.05568@XXX>
Subject: =?ISO-8859-1?B?QmV0cmVmZjog1ldBVyBNYW51c2tyaXB0?=
IMPROPER FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE
The RFC 2822 standard specifies rules for forming internet messages.
In section '3.2.3. Folding white space and comments' it explicitly
prohibits folding of header fields in such a way that any line of a
folded header field is made up entirely of white-space characters
(control characters SP and HTAB) and nothing else.
[-- Attachment #2: Delivery error report --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --]
Reporting-MTA: dns; vc6.kom.tuwien.ac.at
Arrival-Date: Wed, 22 Apr 2009 09:22:49 +0200 (CEST)
Original-Recipient: rfc822;[email protected]
Final-Recipient: rfc822;[email protected]
Action: failed
Status: 5.6.0
Diagnostic-Code: smtp; 554-5.6.0 Reject, id=n3M7MmoM000004 - BAD_HEADER:
554-5.6.0 Non-encoded 8-bit data (char E4 hex): Date: ...9 09:22:46 +0200
554 5.6.0 (Westeurop\344ische Somm...
http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/?
filename=Verwendung%20und%20Konfiguration.pdf
16 Jan 2017 01:02:41
6/7
Last-Attempt-Date: Wed, 22 Apr 2009 09:22:49 +0200 (CEST)
[-- Attachment #3: Message headers --]
[-- Type: text/rfc822-headers, Encoding: quoted-printable, Size: 0.7K --]
Return-Path: <[email protected]>
Received: from XXX (a.y.tuwien.ac.at [128.130.114.23])
by mr.tuwien.ac.at (amavis-milter) id n3M7MmoM000004; Wed, 22 Apr 2009 09:22:49 +0200
MIME-Version: 1.0
Message-Id: <49EEC5C6.000003.05568@XXX>
Date: Wed, 22 Apr 2009 09:22:46 +0200 (Westeuropäische Sommerzeit)
Content-Type: Multipart/Alternative;
charset="ISO-8859-1";
boundary="------------Boundary-00=_Y5RHG6G0000000000000"
X-Mailer: IncrediMail (5853806)
From: "Mr. X" <[email protected]>
References: <[email protected]>
X-FID: FLAVOR00-NONE-0000-0000-000000000000
X-Priority: 3
To: "Mr. A"
Subject: =?ISO-8859-1?B?QmV0cmVmZjog1ldBVyBNYW51c2tyaXB0?=
http://www.zid.tuwien.ac.at/en/tunet/services/mail/features/virus_checking/verwendung_und_konfiguration/?
filename=Verwendung%20und%20Konfiguration.pdf
16 Jan 2017 01:02:41
7/7