Postfix mail server block Malware with blacklist

by on June 25, 2007 · 13 comments· LAST UPDATED June 25, 2007

in , ,

Malware is used for a harmful purpose. It can be in your software or hardware. Email and free (don't confuse with OSS) or pirated software is the most famous way to spread malware. It is inserted in a system w/o user notification.

Wikipedia defines Malware as:

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a portmanteau of the words "malicious" and "software". The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

It will be a nice idea to block malware spreading urls and website. Setting up a mlaware blacklist in Postix MTA is quite easy. The Malware Block List is a free, automated and user contributed system for checking URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware. The list is available in 25 formats.

Create a blacklist

First you need to create a blacklist, type the following command:
# wget -O - http://www.malware.com.br/cgi/submit?action=list_postfix > /etc/postfix/mbl-body-deny

Configure Postfix

Open postfix main.cf file:
# vi /etc/postfix/main.cf
Setup postfix body_check directive:
body_checks = regexp:/etc/postfix/mbl-body-deny

Restart Postfix

Now just restart postfix:
# postmap /etc/postfix/mbl-body-deny
# /etc/init.d/postfix restart

Automate procedure

You need to setup a cron job to automate entire procedure. Create a shell script as follows (Download link):

#!/bin/bash
# Script to update malware urls
/usr/bin/wget -O - http://www.malware.com.br/cgi/submit?action=list_postfix > /etc/postfix/mbl-body-deny
/usr/sbin/postmap /etc/postfix/mbl-body-deny
/etc/init.d/postfix reload

Add cronjob as follows:
40 23 * * * /etc/admin/scripts/fetch.postfixmalware.sh >/dev/null 2>&1

You may wan to combine this feature with mime attachments blocking and anti spam blacklist for the best result.

Further readings

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 13 comments… read them below or add one }

1 BOK June 25, 2007 at 8:49 pm

I’m giving it a try, even though the current list shows to have some duplicates.
Oh and AFAIK “postfix reload” will do fine too (instead of restarting)!

Reply

2 nixCraft June 25, 2007 at 9:11 pm

BOK,

Yes, reload is fine too, I’ve used reload in script. Just checked my log and there are 4 dupes. But it works like a charm on our anti spam email gateway :)

Reply

3 matthias June 26, 2007 at 8:12 am

Nice – I’ll give it a try!

Reply

4 bitou August 10, 2007 at 4:26 am

What will be the perl script to download this malware list please?

Regards

Reply

5 Jean Brooks October 7, 2007 at 6:24 pm

How do you unsuscribe Malware? I don’t want it, it is messing up my computer totally!! I want to delete now!!

Reply

6 nixCraft October 7, 2007 at 8:06 pm

Remove:
body_checks = regexp:/etc/postfix/mbl-body-deny

Restart postfix and you are done!

Reply

7 rogers November 1, 2007 at 9:39 am

I want you to know that we are very pleased with the quality of Article you have provided. I sincerely appreciate your responsiveness and the way you conduct. I have recommended your to others because of our satisfaction. I look forward to doing with you further comment or suggestions. regards.electronic projects

Reply

8 Lorenzo Luengo July 1, 2008 at 11:27 pm

Is it needed to ‘postmap’ the malware file? it complains about many duplicate entries, because i’m using it to block some domains (using ‘From:’ header). I think postmap is not helping in any way with this, because it’s a pcre table, that can’t be postmap’d

Reply

9 Tony November 20, 2009 at 7:56 pm

Not only is postmap unnecessary, the reload is as well.

Reply

10 Leon September 30, 2012 at 6:10 am

I have the following to remove duplicates

# Script to update malware urls
/usr/bin/wget -O - http://www.malware.com.br/cgi/submit?action=list_postfix > /etc/postfix/mbl-body-deny.download
grep -ve '^#' -ve '^$' /etc/postfix/mbl-body-deny.download > /etc/postfix/mbl-body-deny.uncomment
sed -e 's/\(.*[^MBL-]\)\(MBL-.*\)/\1/' /etc/postfix/mbl-body-deny.download > /etc/postfix/mbl-body-deny.eol
sort /etc/postfix/mbl-body-deny.eol > /etc/postfix/mbl-body-deny.sort
uniq /etc/postfix/mbl-body-deny.sort > /etc/postfix/mbl-body-deny
/usr/sbin/postmap /etc/postfix/mbl-body-deny
/etc/init.d/postfix reload
rm -f /etc/postfix/mbl-body-deny.sort
rm -f /etc/postfix/mbl-body-deny.eol
rm -f /etc/postfix/mbl-body-deny.uncomment
rm -f /etc/postfix/mbl-body-deny.download

Reply

11 dogcat December 19, 2012 at 12:16 am

This article is outdated (something has changed) or totally wrong.

You cannot postmap regexp.

Just wget the remote file and use

body_checks = regexp:/etc/postfix/mbl-body-deny

Reply

12 Ro February 7, 2014 at 10:00 am

http://www.malware.com.br/cgi/submit?action=list_postfix

################################################################### # WARNING: this block list was discontinued on Oct/07/2013 # according to our previous announcements. # Users are advised to visit https://www.malwarepatrol.net/ # for information on how to continue using our data feed. ###################################################################

Reply

13 Ro February 7, 2014 at 10:17 am

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous post:

Next post: