[SOLVED] mail gateway send virüs

A

Ali-istif

Active Member
Proxmox Subscriber
Oct 1, 2020
68
3
28
44
hi,
Our mailgateway is sending virus.
Our firewall detected this virüs
Our Exchange server is update.
Please check log?
what we can do ?

Message meets Alert condition
Virus/Worm detected: MSIL/Agent.JEG!tr.dldr Protocol: "SMTP" Email Address From: "mailer-daemon@mailgateway.nokta.local (Mail Delivery System)" Email Address To: "info@zpeec.com"
VIRUS REFERENCE URL: http://www.fortinet.com/ve?vn=MSIL/Agent.JEG!tr.dldr
date=2021-11-08 time=11:59:32 devname=FG100D3G158xxxx devid=FG100D3G158xxxxx logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1636361972610640222 tz="+0300" policyid=43 msg="File is infected." action="blocked" service="SMTP" sessionid=67380921 srcip=192.168.xx.xxx dstip=159.223.1.226 srcport=55058 dstport=25 srcintf="SERVER VLAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 direction="outgoing" filename="vergi ödeme faturası 8.11.2021.r01" quarskip="File-was-not-quarantined." virus="MSIL/Agent.JEG!tr.dldr" dtype="Virus" ref="http://www.fortinet.com/ve?vn=MSIL/Agent.JEG!tr.dldr" virusid=10065510 profile="default" from="mailer-daemon@mailgateway.nokta.local (Mail Delivery System)" to="info@zpeec.com" analyticscksum="c64e13d56152889eb4df4cbb3b07b74217c05cca5905e5900a5c6059b9b19810" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
 
Last edited:
hi,

Ali-istif said:
srcip=192.168.xx.xxx
Click to expand...
i'd start by investigating this local IP address, that station might be compromised.

do you see other mails like this in the logs? if you do, check where they are originating from.
 
you can check the mail logs or the tracking center of the mail gateway to see where the email originated from, and then investigate.
 
Before ; info@zpeec.com send us email.


Nov 8 11:42:22 mailgateway postfix/smtpd[20981]: warning: hostname bitsumo-zpeec.com does not resolve to address 159.223.1.226: Name or service not known
Nov 8 11:42:22 mailgateway postfix/smtpd[20981]: connect from unknown[159.223.1.226]
Nov 8 11:42:23 mailgateway postfix/smtpd[20981]: 672B33813B8: client=unknown[159.223.1.226]
Nov 8 11:42:23 mailgateway postfix/cleanup[20983]: 672B33813B8: message-id=<20211108034215.5502F0E6FBBB49DB@zpeec.com>
Nov 8 11:42:23 mailgateway postfix/qmgr[942]: 672B33813B8: from=<info@zpeec.com>, size=45394, nrcpt=1 (queue active)
Nov 8 11:42:23 mailgateway pmg-smtp-filter[20880]: 3815AB6188E2EF9DCB4: new mail message-id=<20211108034215.5502F0E6FBBB49DB@zpeec.com>#012
Nov 8 11:42:23 mailgateway postfix/smtpd[20981]: disconnect from unknown[159.223.1.226] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 8 11:42:28 mailgateway pmg-smtp-filter[20880]: 3815AB6188E2EF9DCB4: SA score=0/5 time=4.680 bayes=0.01 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),JMQ_SPF_NEUTRAL(0.5),MIME_HTML_ONLY(0.1),RCVD_IN_HOSTKARMA_BL(1.5),RDNS_NONE(0.793),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Nov 8 11:42:28 mailgateway postfix/smtpd[20993]: connect from localhost.localdomain[127.0.0.1]
Nov 8 11:42:28 mailgateway postfix/smtpd[20993]: D70F4381619: client=localhost.localdomain[127.0.0.1], orig_client=unknown[159.223.1.226]
Nov 8 11:42:28 mailgateway postfix/cleanup[20983]: D70F4381619: message-id=<20211108034215.5502F0E6FBBB49DB@zpeec.com>
Nov 8 11:42:28 mailgateway postfix/qmgr[942]: D70F4381619: from=<info@zpeec.com>, size=46546, nrcpt=1 (queue active)
Nov 8 11:42:28 mailgateway pmg-smtp-filter[20880]: 3815AB6188E2EF9DCB4: accept mail to <nokta@noktaelektronik.net> (D70F4381619) (rule: default-accept)
Nov 8 11:42:28 mailgateway postfix/smtpd[20993]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 8 11:42:28 mailgateway pmg-smtp-filter[20880]: 3815AB6188E2EF9DCB4: processing time: 5.239 seconds (4.68, 0.53, 0)
Nov 8 11:42:28 mailgateway postfix/lmtp[20984]: 672B33813B8: to=<nokta@noktaelektronik.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.7, delays=0.47/0.01/0/5.2, dsn=2.5.0, status=sent (250 2.5.0 OK (3815AB6188E2EF9DCB4))
Nov 8 11:42:28 mailgateway postfix/qmgr[942]: 672B33813B8: removed
Nov 8 11:42:29 mailgateway postfix/smtp[20994]: D70F4381619: to=<nokta@xxxxxxx.net>, relay=192.168.xx.xx[192.168.xx.xxx]:25, delay=0.39, delays=0.01/0.01/0.02/0.36, dsn=2.6.0, status=sent (250 2.6.0 <20211108034215.5502F0E6FBBB49DB@zpeec.com> [InternalId=48829483188291, Hostname=EXXXX1.nokta.local] 48259 bytes in 0.337, 139.605 KB/sec Queued mail for delivery)
Nov 8 11:42:29 mailgateway postfix/qmgr[942]: D70F4381619: removed..

but the same email is sending to gmail.but gmail do not accept this mail.i am sending the log of gmail.

to=<zxxxx@gmail.com>, relay=gmail-smtp-in.l.google.com[108.177.119.26]:25, delay=0.85, delays=0.01/0/0.36/0.48, dsn=5.7.0, status=bounced (host gmail-smtp-in.l.google.com[108.177.119.26] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. bt17si18591965ejb.77 - gsmtp (in reply to end of DATA command))
Nov 8 11:42:30 mailgateway postfix/qmgr[942]: AC716381619: removed
but mail gateway returns this email adres ( info@zpeec.com )



why ?

it is virus sending time in tracking center;


Nov 8 12:19:32 mailgateway postfix/qmgr[942]: 8A28F3815AB: from=<>, size=50672, nrcpt=1 (queue active)
Nov 8 12:19:33 mailgateway postfix/smtp[21465]: 8A28F3815AB: to=<info@zpeec.com>, relay=zpeec.com[159.223.1.226]:25, delay=2222, delays=2222/0/0.21/0.19, dsn=4.4.2, status=deferred (lost connection with zpeec.com[159.223.1.226] while sending end of data -- message may be sent more than once)
 
Last edited:
How can we apply more strict rules about virus on mail gateway.
Because the infected email has passed

Gmail does not accept but mailgateway accepts this infected mail.

1636379542592.png
 
Last edited:
You must log in or register to reply here.
Top Bottom