Postfix mail server block Malware with blacklist

Malware is used for a malicious purpose. It can be in your software or hardware. Email and pirated software is the most powerful way to spread malware. Malware inserted in a system without user notification.

ADVERTISEMENTS

Wikipedia defines Malware as:

Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. It is a portmanteau of the words “malicious” and “software”. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

It will be a nice idea to block malware spreading URLs and website. Setting up a malware blacklist in Postfix MTA is quite easy. The Malware Block List is a free, automated and user contributed system for checking URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware.

Create a blacklist

First you need to create a blacklist, type the following command:
# wget -O - 'https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix' > /etc/postfix/mbl-body-deny
Where receipt= should be followed by your personal Malwarepatrol id once registered. Do not use f1391767429. This is for demo purpose only.

Configure Postfix

Open postfix main.cf config file, run:
# vi /etc/postfix/main.cf
Setup postfix body_check directive as follows:
body_checks = regexp:/etc/postfix/mbl-body-deny
Save and close the file.

Restart Postfix

Now just restart the postfix daemon:
# postmap /etc/postfix/mbl-body-deny
# /etc/init.d/postfix restart

Automate procedure

You need to setup a cron job to automate entire procedure. Create a shell script as follows:

#!/bin/bash
# Script to update malware urls
# Author: Vivek Gite <www.cyberciti.biz> under GPL v2.x+
# ---------------
# Set https://malwarepatrol.net/ ID here (it is free)
myid=""
[[ ! -z "$myid" ]] && echo "Using $myid..." || { echo "Error: Please correct set \"$myid\"."; exit 1; }
/usr/bin/wget -O - "https://lists.malwarepatrol.net/cgi/getfile?receipt=${myid}&product=8&list=postfix" > /etc/postfix/mbl-body-deny
/usr/sbin/postmap /etc/postfix/mbl-body-deny
/etc/init.d/postfix reload

Add cronjob as follows:
40 23 * * * /etc/admin/scripts/fetch.postfixmalware.sh >/dev/null 2>&1

You may wan to combine this feature with mime attachments blocking and anti spam blacklist for the best result.

Further readings

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
16 comments… add one
  • BOK Jun 25, 2007 @ 20:49

    I’m giving it a try, even though the current list shows to have some duplicates.
    Oh and AFAIK “postfix reload” will do fine too (instead of restarting)!

  • 🐧 nixCraft Jun 25, 2007 @ 21:11

    BOK,

    Yes, reload is fine too, I’ve used reload in script. Just checked my log and there are 4 dupes. But it works like a charm on our anti spam email gateway 🙂

  • matthias Jun 26, 2007 @ 8:12

    Nice – I’ll give it a try!

  • bitou Aug 10, 2007 @ 4:26

    What will be the perl script to download this malware list please?

    Regards

  • Jean Brooks Oct 7, 2007 @ 18:24

    How do you unsuscribe Malware? I don’t want it, it is messing up my computer totally!! I want to delete now!!

  • 🐧 nixCraft Oct 7, 2007 @ 20:06

    Remove:
    body_checks = regexp:/etc/postfix/mbl-body-deny

    Restart postfix and you are done!

  • rogers Nov 1, 2007 @ 9:39

    I want you to know that we are very pleased with the quality of Article you have provided. I sincerely appreciate your responsiveness and the way you conduct. I have recommended your to others because of our satisfaction. I look forward to doing with you further comment or suggestions. regards.electronic projects

  • Lorenzo Luengo Jul 1, 2008 @ 23:27

    Is it needed to ‘postmap’ the malware file? it complains about many duplicate entries, because i’m using it to block some domains (using ‘From:’ header). I think postmap is not helping in any way with this, because it’s a pcre table, that can’t be postmap’d

  • Tony Nov 20, 2009 @ 19:56

    Not only is postmap unnecessary, the reload is as well.

  • Leon Sep 30, 2012 @ 6:10

    I have the following to remove duplicates

    # Script to update malware urls
    /usr/bin/wget -O - http://www.malware.com.br/cgi/submit?action=list_postfix > /etc/postfix/mbl-body-deny.download
    grep -ve '^#' -ve '^$' /etc/postfix/mbl-body-deny.download > /etc/postfix/mbl-body-deny.uncomment
    sed -e 's/(.*[^MBL-])(MBL-.*)/1/' /etc/postfix/mbl-body-deny.download > /etc/postfix/mbl-body-deny.eol
    sort /etc/postfix/mbl-body-deny.eol > /etc/postfix/mbl-body-deny.sort
    uniq /etc/postfix/mbl-body-deny.sort > /etc/postfix/mbl-body-deny
    /usr/sbin/postmap /etc/postfix/mbl-body-deny
    /etc/init.d/postfix reload
    rm -f /etc/postfix/mbl-body-deny.sort
    rm -f /etc/postfix/mbl-body-deny.eol
    rm -f /etc/postfix/mbl-body-deny.uncomment
    rm -f /etc/postfix/mbl-body-deny.download
    
  • dogcat Dec 19, 2012 @ 0:16

    This article is outdated (something has changed) or totally wrong.

    You cannot postmap regexp.

    Just wget the remote file and use

    body_checks = regexp:/etc/postfix/mbl-body-deny

  • Ro Feb 7, 2014 @ 10:00

    http://www.malware.com.br/cgi/submit?action=list_postfix

    ################################################################### # WARNING: this block list was discontinued on Oct/07/2013 # according to our previous announcements. # Users are advised to visit https://www.malwarepatrol.net/ # for information on how to continue using our data feed. ###################################################################
    
  • Ro Feb 7, 2014 @ 10:17
  • Fred Dec 5, 2014 @ 10:17

    Yes, like reported by Ro, correct link is :

    https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix

    Where receipt= should be followed by your personal Malwarepatrol id once registered
    Since & characters are present into link, to make it work with wget you have to add double-quotas :

    “https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix”

  • Klemen Mar 24, 2016 @ 11:36

    Here’s a simplified script. Insert your own receipt in there, of course 😉

    #!/usr/bin/bash
    curl -sk 'https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix' | grep -ve '^#' -ve '^$' | sed -e 's/(.*[^MBL-])(MBL-.*)/1/' | sort | uniq -i > /etc/postfix/mbl-body-deny
    postmap /etc/postfix/mbl-body-deny
    systemctl reload postfix

  • Sandra McCollum Jan 12, 2017 @ 0:48

    Why do people keep using postmap? It seems wrong.

    postmap /etc/postfix/mbl-body-deny

    Should it not be just this added to main.cf:
    body_checks = regexp:/etc/postfix/mbl-body-deny

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.