[Postfixbuch-users] vermehrt false positive mit Sanesecurity
Jim Knuth
jk at jkart.de
Mo Sep 8 13:51:52 CEST 2014
Hallo,
ich hatte letze Woche vermehrt FP festgestellt.
DIESE eMail war eine html-Mail, aber ohne Anhang.
Nach welchen Kriterien sortiert/bewertet Sanesecurity
eigentlich und wie kann man FP weitestgehend vermeiden.
X-Amavis-Alert: INFECTED, message contains virus:
ScamNailer.Phish._AT_t-online.de.UNOFFICIAL
Log:
Sep 5 08:30:07 server2 postfix/qmgr[30959]: AB765B7AB0B:
from=<becker-dessau at t-online.de>, size=12544, nrcpt=1 (queue active)
Sep 5 08:30:08 server2 amavis[7568]: (07568-01) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL)
{DiscardedInternal,Quarantined}, ORIGINATING LOCAL
[194.25.134.85]:47294 [87.15
8.46.12] <becker-dessau at t-online.de> ->
<a.bethge at becker-sicherheit.de>, quarantine:
quarantine at art-domains.de, Queue-ID: AB765B7AB0B, Message-ID:
<000c01cfc8d2$d40e5470$7c2afd50$@t-online.de
>, mail_id: XHL5ZsHLJshE, Hits: -, size: 12544, 554 ms
Sep 5 08:30:08 server2 amavis[7568]: (07568-01) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL),
<becker-dessau at t-online.de> -> <a.bethge at becker-sicherheit.de>, Hits:
-, tag=-
9999.9, tag2=2.5, kill=3, L/Y/0/0
Sep 5 08:46:49 server2 postfix/qmgr[30959]: 2F3C3B7AB0B:
from=<becker-dessau at t-online.de>, size=13632, nrcpt=1 (queue active)
Sep 5 08:46:49 server2 amavis[7566]: (07566-03) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL)
{DiscardedInternal,Quarantined}, ORIGINATING LOCAL
[194.25.134.83]:53148 [87.15
8.46.12] <becker-dessau at t-online.de> ->
<a.bethge at becker-sicherheit.de>, quarantine:
quarantine at art-domains.de, Queue-ID: 2F3C3B7AB0B, Message-ID:
<001401cfc8d5$2acf9470$806ebd50$@t-online.de
>, mail_id: EDcLJclrUjPe, Hits: -, size: 13632, 415 ms
Sep 5 08:46:49 server2 amavis[7566]: (07566-03) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL),
<becker-dessau at t-online.de> -> <a.bethge at becker-sicherheit.de>, Hits:
-, tag=-
9999.9, tag2=2.5, kill=3, L/Y/0/0
Sep 5 08:48:08 server2 postfix/qmgr[30959]: 1EC27B7AB0B:
from=<becker-dessau at t-online.de>, size=15186, nrcpt=2 (queue active)
Sep 5 08:48:08 server2 amavis[7564]: (07564-03) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL)
{DiscardedInternal,Quarantined}, ORIGINATING LOCAL
[194.25.134.20]:45039 [87.15
8.46.12] <becker-dessau at t-online.de> ->
<a.bethge at becker-sicherheit.de>,<d.krueger at becker-sicherheit.de>,
quarantine: quarantine at art-domains.de, Queue-ID: 1EC27B7AB0B,
Message-ID: <001901cfc8
d5$583a2ab0$08ae8010$@t-online.de>, mail_id: j58KH6c51McL, Hits: -,
size: 15186, 445 ms
Sep 5 08:48:08 server2 amavis[7564]: (07564-03) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL),
<becker-dessau at t-online.de> -> <a.bethge at becker-sicherheit.de>, Hits:
-, tag=-
9999.9, tag2=2.5, kill=3, L/Y/0/0
Sep 5 08:48:08 server2 amavis[7564]: (07564-03) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL),
<becker-dessau at t-online.de> -> <d.krueger at becker-sicherheit.de>, Hits:
-, tag=
-9999.9, tag2=2.5, kill=3, L/Y/0/0
Sep 5 08:48:53 server2 postfix/qmgr[30959]: 8F744B7AB0B:
from=<becker-dessau at t-online.de>, size=15236, nrcpt=1 (queue active)
Sep 5 08:48:53 server2 amavis[7569]: (07569-03) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL)
{DiscardedInternal,Quarantined}, ORIGINATING LOCAL
[194.25.134.83]:54423 [87.15
8.46.12] <becker-dessau at t-online.de> ->
<u.becker at becker-sicherheit.de>, quarantine:
quarantine at art-domains.de, Queue-ID: 8F744B7AB0B, Message-ID:
<001e01cfc8d5$745a2dd0$5d0e8970$@t-online.de
>, mail_id: xCfpk5Gg9QY4, Hits: -, size: 15236, 306 ms
Sep 5 08:48:53 server2 amavis[7569]: (07569-03) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL),
<becker-dessau at t-online.de> -> <u.becker at becker-sicherheit.de>, Hits:
-, tag=-
9999.9, tag2=2.5, kill=3, L/Y/0/0
Sep 5 09:30:15 server2 postfix/qmgr[30959]: 28430B7AB0B:
from=<becker-dessau at t-online.de>, size=10365, nrcpt=1 (queue active)
Sep 5 09:30:15 server2 amavis[7569]: (07569-05) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL)
{DiscardedInternal,Quarantined}, ORIGINATING LOCAL
[194.25.134.85]:52874 [87.15
8.46.12] <becker-dessau at t-online.de> ->
<u.becker at becker-sicherheit.de>, quarantine:
quarantine at art-domains.de, Queue-ID: 28430B7AB0B, Message-ID:
<000301cfc8db$3692b110$a3b81330$@t-online.de
>, mail_id: fzYeUoNwGcQ7, Hits: -, size: 10365, 372 ms
Sep 5 09:30:15 server2 amavis[7569]: (07569-05) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL),
<becker-dessau at t-online.de> -> <u.becker at becker-sicherheit.de>, Hits:
-, tag=-
9999.9, tag2=2.5, kill=3, L/Y/0/0
Sep 5 09:42:24 server2 postfix/qmgr[30959]: 3A4CFB7AB0B:
from=<becker-dessau at t-online.de>, size=12153, nrcpt=1 (queue active)
Sep 5 09:42:24 server2 amavis[7564]: (07564-06) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL)
{DiscardedInternal,Quarantined}, ORIGINATING LOCAL
[194.25.134.82]:36475 [87.15
8.46.12] <becker-dessau at t-online.de> ->
<a.bethge at becker-sicherheit.de>, quarantine:
quarantine at art-domains.de, Queue-ID: 3A4CFB7AB0B, Message-ID:
<001b01cfc8dc$ee3a6b40$caaf41c0$@t-online.de
>, mail_id: 9S5Hx2-Vvr1o, Hits: -, size: 12153, 379 ms
Sep 5 09:42:24 server2 amavis[7564]: (07564-06) Blocked INFECTED
(ScamNailer.Phish._AT_t-online.de.UNOFFICIAL),
<becker-dessau at t-online.de> -> <a.bethge at becker-sicherheit.de>, Hits:
-, tag=-
9999.9, tag2=2.5, kill=3, L/Y/0/0
--
Mit freundlichen Grüßen,
with kind regards,
Jim Knuth
---------
Ich hab nichts gegen Gott. Nur seine Fanclubs
gehen mir auf den Sack!
Mehr Informationen über die Mailingliste Postfixbuch-users