Body checks and warning log

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Body checks and warning log

MacShane, Tracy
I'm trying to create a very simple body check for a limited time to get an indicative idea of how many users may be sending credit card numbers via email. I have a simple pcre body_check map that is logging a warning when it encounters a match. Unfortunately, the entire message line that triggers the warning is added to the mail log, naturally with the potential credit card number in plain text.
 
cat /etc/postfix/body_checks.pcre
/\b(?:\d[ -]*){13,16}\b/        WARN Credit card number
Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning: body text 1243 1211 1232 1232 blah blah from localhost.localdomain[127.0.0.1]; from=<[hidden email]example.com> to=[hidden email]domain.example.com proto=SMTP helo=<server.example.com>: Credit card number
Our security people are having wibbles about this logging regime, so I was wondering if there was some way to ensure the WARN action doesn't log the matched line (I can obviously append a truncated version of the apparent number with the optional text), or if there might be a better way to do this auditing task.
Reply | Threaded
Open this post in threaded view
|

Re: Body checks and warning log

Ville Walveranta
This is probably a too complex solution but I mention it anyway. In
late July there was a discussion here about rewriting the subject
line. I'm using an external spam filtering service (Katharion), and if
I choose spams to be delivered (rather than quarantined), they're
tagged with "**SPAM**" in front of the original subject. That is ugly,
so I wanted to remove it from the subject line and create "X-Spam:
yes" header instead so that the spam mail could be deposited into the
original recipient's "Spam" folder for easy searching for false
positives.

So... by using smtpprox it is possible to pull each email out of the
queue for processing/mangling/investigating before re-injecting it
back into the queue. It works for the inbound mail, so perhaps it
would work for the outbound as well. That way you could write a small
perl routine that would detect a credit card number anywhere in a
message, record it in the log (or even in a database), and also make
sure that c/c info is not stored in plaintext. It could even be
expanded further to prevent the emails containing c/c info from going
out and instead returning them to the sender with the c/c starred out
and with a warning that c/c info should not be sent via emails.

Ville
Reply | Threaded
Open this post in threaded view
|

Re: Body checks and warning log

mouss-2
In reply to this post by MacShane, Tracy
MacShane, Tracy wrote:

> I'm trying to create a very simple body check for a limited time to get
> an indicative idea of how many users may be sending credit card numbers
> via email. I have a simple pcre body_check map that is logging a warning
> when it encounters a match. Unfortunately, the entire message line that
> triggers the warning is added to the mail log, naturally with the
> potential credit card number in plain text.
>  
> cat /etc/postfix/body_checks.pcre
> /\b(?:\d[ -]*){13,16}\b/        WARN Credit card number
>
> Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning:
> body text 1243 1211 1232 1232 blah blah from
> localhost.localdomain[127.0.0.1]; from=<[hidden email]>
> to=test.user <mailto:[hidden email]> @
> <mailto:test.user@m> domain.example.com proto=SMTP
> helo=<server.example.com>: Credit card number
>
> Our security people are having wibbles about this logging regime, so I
> was wondering if there was some way to ensure the WARN action doesn't
> log the matched line (I can obviously append a truncated version of the
> apparent number with the optional text), or if there might be a better
> way to do this auditing task.
>


you can use HOLD, then have a cron job to check the message and release it.

Alternatively, you can use FILTER to pass the message to another smtpd.
example:


== body_checks:
/..../ FILTER filter:[127.0.0.1]:25666

== master.cf
127.0.0.1:25666 ..... smtpd
   -o syslog_name=postwatch
   -o receive_override_options=no_address_mappings
   -o mynetworks=127.0.0.1
   -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
   ...

== main.cf
smtpd666_recipient_restrictions=
   check_client_access pcre:/etc/postfix/logcard
   permit_mynetworks
   reject

== logcard
/./ WARN credit card blah blah


note that this will override your content filter setting. if you had
one, then make sure it is used in the :25666 smtpd (either explicit -o
content_filter=... in master.cf, or a content_filter=... in main.cf will
do).

PS. if you use clamav, check its Data Loss Protection feature.

Reply | Threaded
Open this post in threaded view
|

Re: Body checks and warning log

Daniel V. Reinhardt


 Daniel Reinhardt
Website: www.cryptodan.com
Email: [hidden email]
Junior Network Security Engineer



----- Original Message ----

> From: mouss <[hidden email]>
> To: Postfix users <[hidden email]>
> Sent: Friday, November 14, 2008 7:58:45 AM
> Subject: Re: Body checks and warning log
>
> MacShane, Tracy wrote:
> > I'm trying to create a very simple body check for a limited time to get
> > an indicative idea of how many users may be sending credit card numbers
> > via email. I have a simple pcre body_check map that is logging a warning
> > when it encounters a match. Unfortunately, the entire message line that
> > triggers the warning is added to the mail log, naturally with the
> > potential credit card number in plain text.
> >  cat /etc/postfix/body_checks.pcre
> > /\b(?:\d[ -]*){13,16}\b/        WARN Credit card number
> >
> > Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning:
> > body text 1243 1211 1232 1232 blah blah from
> > localhost.localdomain[127.0.0.1]; from=
> > to=test.user @
> > domain.example.com proto=SMTP
> > helo=: Credit card number
> >
> > Our security people are having wibbles about this logging regime, so I
> > was wondering if there was some way to ensure the WARN action doesn't
> > log the matched line (I can obviously append a truncated version of the
> > apparent number with the optional text), or if there might be a better
> > way to do this auditing task.
> >
>
>
> you can use HOLD, then have a cron job to check the message and release it.
>
> Alternatively, you can use FILTER to pass the message to another smtpd. example:
>
>
> == body_checks:
> /..../    FILTER filter:[127.0.0.1]:25666
>
> == master.cf
> 127.0.0.1:25666    .....    smtpd
>   -o syslog_name=postwatch
>   -o receive_override_options=no_address_mappings
>   -o mynetworks=127.0.0.1
>   -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
>   ...
>
> == main.cf
> smtpd666_recipient_restrictions=
>   check_client_access pcre:/etc/postfix/logcard
>   permit_mynetworks
>   reject
>
> == logcard
> /./    WARN credit card blah blah    
>
>
> note that this will override your content filter setting. if you had one, then
> make sure it is used in the :25666 smtpd (either explicit -o content_filter=...
> in master.cf, or a content_filter=... in main.cf will do).
>
> PS. if you use clamav, check its Data Loss Protection feature.

Do you have American Express cards covered and other store based credit cards?  Also do you account for the expiration date and 3 digit security code?



     
Reply | Threaded
Open this post in threaded view
|

RE: Body checks and warning log

MacShane, Tracy
>
> ----- Original Message ----
> > From: mouss <[hidden email]>
> > To: Postfix users <[hidden email]>
> > Sent: Friday, November 14, 2008 7:58:45 AM
> > Subject: Re: Body checks and warning log
> >
> > MacShane, Tracy wrote:
> > > I'm trying to create a very simple body check for a limited time
to
> > > get an indicative idea of how many users may be sending credit
card
> > > numbers via email. ...
> > > Our security people are having wibbles about this logging regime,
so
> > > I was wondering if there was some way to ensure the WARN action
> > > doesn't log the matched line (I can obviously append a truncated
> > > version of the apparent number with the optional text), or if
there
> > > might be a better way to do this auditing task.
> > >
> >
> >
> > you can use HOLD, then have a cron job to check the message and
release it.
> >
> > Alternatively, you can use FILTER to pass the message to another
smtpd. example:

> >
> >
> > == body_checks:
> > /..../    FILTER filter:[127.0.0.1]:25666
> >
> > == master.cf
> > 127.0.0.1:25666    .....    smtpd
> >   -o syslog_name=postwatch
> >   -o receive_override_options=no_address_mappings
> >   -o mynetworks=127.0.0.1
> >   -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
> >   ...
> >
> > == main.cf
> > smtpd666_recipient_restrictions=
> >   check_client_access pcre:/etc/postfix/logcard
> >   permit_mynetworks
> >   reject
> >
> > == logcard
> > /./    WARN credit card blah blah    
> >
> >
> > note that this will override your content filter setting. if you had

> > one, then make sure it is used in the :25666 smtpd (either explicit
-o content_filter=...

> > in master.cf, or a content_filter=... in main.cf will do).
> >
> > PS. if you use clamav, check its Data Loss Protection feature.
>
> Do you have American Express cards covered and other store
> based credit cards?  Also do you account for the expiration
> date and 3 digit security code?
>
>
>

Thanks for the great suggestions, mouss. We use Trend Micro IMSS, which
is very similar to amavisd. I'm sure we can work around it.

Daniel, I'm not too concerned about absolute accuracy at this stage,
since I just want to assess whether we need to take firmer measures. The
regexp I have should trap Amex numbers, although there may be a number
of false positives. I'll be reviewing them manually in any case. I'm not
worried about the expiration date or security code (with the latter, I
know of at least one example of a "pay-by-email" form that didn't
require that number at all) - I'm not planning to *use* the cards, heh.
Also, I believe crooks can use a credit card number to generate both an
expiry date and security code using some algorithm.
Reply | Threaded
Open this post in threaded view
|

Re: Body checks and warning log

Daniel V. Reinhardt


 Daniel Reinhardt
Website: www.cryptodan.com
Email: [hidden email]
Junior Network Security Engineer



----- Original Message ----

> From: "MacShane, Tracy" <[hidden email]>
> To: Postfix users <[hidden email]>
> Sent: Sunday, November 16, 2008 11:00:29 PM
> Subject: RE: Body checks and warning log
>
> >
> > ----- Original Message ----
> > > From: mouss
> > > To: Postfix users
> > > Sent: Friday, November 14, 2008 7:58:45 AM
> > > Subject: Re: Body checks and warning log
> > >
> > > MacShane, Tracy wrote:
> > > > I'm trying to create a very simple body check for a limited time
> to
> > > > get an indicative idea of how many users may be sending credit
> card
> > > > numbers via email. ...
> > > > Our security people are having wibbles about this logging regime,
> so
> > > > I was wondering if there was some way to ensure the WARN action
> > > > doesn't log the matched line (I can obviously append a truncated
> > > > version of the apparent number with the optional text), or if
> there
> > > > might be a better way to do this auditing task.
> > > >
> > >
> > >
> > > you can use HOLD, then have a cron job to check the message and
> release it.
> > >
> > > Alternatively, you can use FILTER to pass the message to another
> smtpd. example:
> > >
> > >
> > > == body_checks:
> > > /..../    FILTER filter:[127.0.0.1]:25666
> > >
> > > == master.cf
> > > 127.0.0.1:25666    .....    smtpd
> > >   -o syslog_name=postwatch
> > >   -o receive_override_options=no_address_mappings
> > >   -o mynetworks=127.0.0.1
> > >   -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
> > >   ...
> > >
> > > == main.cf
> > > smtpd666_recipient_restrictions=
> > >   check_client_access pcre:/etc/postfix/logcard
> > >   permit_mynetworks
> > >   reject
> > >
> > > == logcard
> > > /./    WARN credit card blah blah    
> > >
> > >
> > > note that this will override your content filter setting. if you had
>
> > > one, then make sure it is used in the :25666 smtpd (either explicit
> -o content_filter=...
> > > in master.cf, or a content_filter=... in main.cf will do).
> > >
> > > PS. if you use clamav, check its Data Loss Protection feature.
> >
> > Do you have American Express cards covered and other store
> > based credit cards?  Also do you account for the expiration
> > date and 3 digit security code?
> >
> >
> >
>
> Thanks for the great suggestions, mouss. We use Trend Micro IMSS, which
> is very similar to amavisd. I'm sure we can work around it.
>
> Daniel, I'm not too concerned about absolute accuracy at this stage,
> since I just want to assess whether we need to take firmer measures. The
> regexp I have should trap Amex numbers, although there may be a number
> of false positives. I'll be reviewing them manually in any case. I'm not
> worried about the expiration date or security code (with the latter, I
> know of at least one example of a "pay-by-email" form that didn't
> require that number at all) - I'm not planning to *use* the cards, heh.
> Also, I believe crooks can use a credit card number to generate both an
> expiry date and security code using some algorithm.

Well some people usually give more information then needed, and a security code will provide a criminal with more access to commit fraud.  Just trying to make sure all your bases are covered.