≡ Menu

Postfix mail server block Malware with blacklist

Malware is used for a malicious purpose. It can be in your software or hardware. Email and pirated software is the most powerful way to spread malware. Malware inserted in a system without user notification.

Wikipedia defines Malware as:

Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. It is a portmanteau of the words “malicious” and “software”. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

It will be a nice idea to block malware spreading URLs and website. Setting up a malware blacklist in Postfix MTA is quite easy. The Malware Block List is a free, automated and user contributed system for checking URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware.

Create a blacklist

First you need to create a blacklist, type the following command:
# wget -O - 'https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix' > /etc/postfix/mbl-body-deny
Where receipt= should be followed by your personal Malwarepatrol id once registered. Do not use f1391767429. This is for demo purpose only.

Configure Postfix

Open postfix main.cf config file, run:
# vi /etc/postfix/main.cf
Setup postfix body_check directive as follows:
body_checks = regexp:/etc/postfix/mbl-body-deny
Save and close the file.

Restart Postfix

Now just restart the postfix daemon:
# postmap /etc/postfix/mbl-body-deny
# /etc/init.d/postfix restart

Automate procedure

You need to setup a cron job to automate entire procedure. Create a shell script as follows:

#!/bin/bash
# Script to update malware urls
# Author: Vivek Gite <www.cyberciti.biz> under GPL v2.x+
# ---------------
# Set https://malwarepatrol.net/ ID here (it is free)
myid=""
[[ ! -z "$myid" ]] && echo "Using $myid..." || { echo "Error: Please correct set \"$myid\"."; exit 1; }
/usr/bin/wget -O - "https://lists.malwarepatrol.net/cgi/getfile?receipt=${myid}&product=8&list=postfix" > /etc/postfix/mbl-body-deny
/usr/sbin/postmap /etc/postfix/mbl-body-deny
/etc/init.d/postfix reload

Add cronjob as follows:
40 23 * * * /etc/admin/scripts/fetch.postfixmalware.sh >/dev/null 2>&1

You may wan to combine this feature with mime attachments blocking and anti spam blacklist for the best result.

Further readings

Share this on:
{ 15 comments… add one }
  • BOK June 25, 2007, 8:49 pm

    I’m giving it a try, even though the current list shows to have some duplicates.
    Oh and AFAIK “postfix reload” will do fine too (instead of restarting)!

  • nixCraft June 25, 2007, 9:11 pm

    BOK,

    Yes, reload is fine too, I’ve used reload in script. Just checked my log and there are 4 dupes. But it works like a charm on our anti spam email gateway :)

  • matthias June 26, 2007, 8:12 am

    Nice – I’ll give it a try!

  • bitou August 10, 2007, 4:26 am

    What will be the perl script to download this malware list please?

    Regards

  • Jean Brooks October 7, 2007, 6:24 pm

    How do you unsuscribe Malware? I don’t want it, it is messing up my computer totally!! I want to delete now!!

  • nixCraft October 7, 2007, 8:06 pm

    Remove:
    body_checks = regexp:/etc/postfix/mbl-body-deny

    Restart postfix and you are done!

  • rogers November 1, 2007, 9:39 am

    I want you to know that we are very pleased with the quality of Article you have provided. I sincerely appreciate your responsiveness and the way you conduct. I have recommended your to others because of our satisfaction. I look forward to doing with you further comment or suggestions. regards.electronic projects

  • Lorenzo Luengo July 1, 2008, 11:27 pm

    Is it needed to ‘postmap’ the malware file? it complains about many duplicate entries, because i’m using it to block some domains (using ‘From:’ header). I think postmap is not helping in any way with this, because it’s a pcre table, that can’t be postmap’d

  • Tony November 20, 2009, 7:56 pm

    Not only is postmap unnecessary, the reload is as well.

  • Leon September 30, 2012, 6:10 am

    I have the following to remove duplicates

    # Script to update malware urls
    /usr/bin/wget -O - http://www.malware.com.br/cgi/submit?action=list_postfix > /etc/postfix/mbl-body-deny.download
    grep -ve '^#' -ve '^$' /etc/postfix/mbl-body-deny.download > /etc/postfix/mbl-body-deny.uncomment
    sed -e 's/\(.*[^MBL-]\)\(MBL-.*\)/\1/' /etc/postfix/mbl-body-deny.download > /etc/postfix/mbl-body-deny.eol
    sort /etc/postfix/mbl-body-deny.eol > /etc/postfix/mbl-body-deny.sort
    uniq /etc/postfix/mbl-body-deny.sort > /etc/postfix/mbl-body-deny
    /usr/sbin/postmap /etc/postfix/mbl-body-deny
    /etc/init.d/postfix reload
    rm -f /etc/postfix/mbl-body-deny.sort
    rm -f /etc/postfix/mbl-body-deny.eol
    rm -f /etc/postfix/mbl-body-deny.uncomment
    rm -f /etc/postfix/mbl-body-deny.download
    
  • dogcat December 19, 2012, 12:16 am

    This article is outdated (something has changed) or totally wrong.

    You cannot postmap regexp.

    Just wget the remote file and use

    body_checks = regexp:/etc/postfix/mbl-body-deny

  • Ro February 7, 2014, 10:00 am

    http://www.malware.com.br/cgi/submit?action=list_postfix

    ################################################################### # WARNING: this block list was discontinued on Oct/07/2013 # according to our previous announcements. # Users are advised to visit https://www.malwarepatrol.net/ # for information on how to continue using our data feed. ###################################################################
    
  • Ro February 7, 2014, 10:17 am
  • Fred December 5, 2014, 10:17 am

    Yes, like reported by Ro, correct link is :

    https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix

    Where receipt= should be followed by your personal Malwarepatrol id once registered
    Since & characters are present into link, to make it work with wget you have to add double-quotas :

    “https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix”

  • Klemen March 24, 2016, 11:36 am

    Here’s a simplified script. Insert your own receipt in there, of course ;)

    #!/usr/bin/bash
    curl -sk 'https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix' | grep -ve '^#' -ve '^$' | sed -e 's/\(.*[^MBL-]\)\(MBL-.*\)/\1/' | sort | uniq -i > /etc/postfix/mbl-body-deny
    postmap /etc/postfix/mbl-body-deny
    systemctl reload postfix

Leave a Comment


   Tagged with: , , , , , , , , , ,