≡ Menu

Postfix mail server block Malware with blacklist

Malware is used for a malicious purpose. It can be in your software or hardware. Email and pirated software is the most powerful way to spread malware. Malware inserted in a system without user notification.

Wikipedia defines Malware as:

Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. It is a portmanteau of the words “malicious” and “software”. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

It will be a nice idea to block malware spreading URLs and website. Setting up a malware blacklist in Postfix MTA is quite easy. The Malware Block List is a free, automated and user contributed system for checking URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware.

Create a blacklist

First you need to create a blacklist, type the following command:
# wget -O - 'https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix' > /etc/postfix/mbl-body-deny
Where receipt= should be followed by your personal Malwarepatrol id once registered. Do not use f1391767429. This is for demo purpose only.

Configure Postfix

Open postfix main.cf config file, run:
# vi /etc/postfix/main.cf
Setup postfix body_check directive as follows:
body_checks = regexp:/etc/postfix/mbl-body-deny
Save and close the file.

Restart Postfix

Now just restart the postfix daemon:
# postmap /etc/postfix/mbl-body-deny
# /etc/init.d/postfix restart

Automate procedure

You need to setup a cron job to automate entire procedure. Create a shell script as follows:

#!/bin/bash
# Script to update malware urls
# Author: Vivek Gite <www.cyberciti.biz> under GPL v2.x+
# ---------------
# Set https://malwarepatrol.net/ ID here (it is free)
myid=""
[[ ! -z "$myid" ]] && echo "Using $myid..." || { echo "Error: Please correct set \"$myid\"."; exit 1; }
/usr/bin/wget -O - "https://lists.malwarepatrol.net/cgi/getfile?receipt=${myid}&product=8&list=postfix" > /etc/postfix/mbl-body-deny
/usr/sbin/postmap /etc/postfix/mbl-body-deny
/etc/init.d/postfix reload

Add cronjob as follows:
40 23 * * * /etc/admin/scripts/fetch.postfixmalware.sh >/dev/null 2>&1

You may wan to combine this feature with mime attachments blocking and anti spam blacklist for the best result.

Further readings

Share this on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 16 comments… add one }
  • BOK June 25, 2007, 8:49 pm

    I’m giving it a try, even though the current list shows to have some duplicates.
    Oh and AFAIK “postfix reload” will do fine too (instead of restarting)!

  • nixCraft June 25, 2007, 9:11 pm

    BOK,

    Yes, reload is fine too, I’ve used reload in script. Just checked my log and there are 4 dupes. But it works like a charm on our anti spam email gateway :)

  • matthias June 26, 2007, 8:12 am

    Nice – I’ll give it a try!

  • bitou August 10, 2007, 4:26 am

    What will be the perl script to download this malware list please?

    Regards

  • Jean Brooks October 7, 2007, 6:24 pm

    How do you unsuscribe Malware? I don’t want it, it is messing up my computer totally!! I want to delete now!!

  • nixCraft October 7, 2007, 8:06 pm

    Remove:
    body_checks = regexp:/etc/postfix/mbl-body-deny

    Restart postfix and you are done!

  • rogers November 1, 2007, 9:39 am

    I want you to know that we are very pleased with the quality of Article you have provided. I sincerely appreciate your responsiveness and the way you conduct. I have recommended your to others because of our satisfaction. I look forward to doing with you further comment or suggestions. regards.electronic projects

  • Lorenzo Luengo July 1, 2008, 11:27 pm

    Is it needed to ‘postmap’ the malware file? it complains about many duplicate entries, because i’m using it to block some domains (using ‘From:’ header). I think postmap is not helping in any way with this, because it’s a pcre table, that can’t be postmap’d

  • Tony November 20, 2009, 7:56 pm

    Not only is postmap unnecessary, the reload is as well.

  • Leon September 30, 2012, 6:10 am

    I have the following to remove duplicates

    # Script to update malware urls
    /usr/bin/wget -O - http://www.malware.com.br/cgi/submit?action=list_postfix > /etc/postfix/mbl-body-deny.download
    grep -ve '^#' -ve '^$' /etc/postfix/mbl-body-deny.download > /etc/postfix/mbl-body-deny.uncomment
    sed -e 's/\(.*[^MBL-]\)\(MBL-.*\)/\1/' /etc/postfix/mbl-body-deny.download > /etc/postfix/mbl-body-deny.eol
    sort /etc/postfix/mbl-body-deny.eol > /etc/postfix/mbl-body-deny.sort
    uniq /etc/postfix/mbl-body-deny.sort > /etc/postfix/mbl-body-deny
    /usr/sbin/postmap /etc/postfix/mbl-body-deny
    /etc/init.d/postfix reload
    rm -f /etc/postfix/mbl-body-deny.sort
    rm -f /etc/postfix/mbl-body-deny.eol
    rm -f /etc/postfix/mbl-body-deny.uncomment
    rm -f /etc/postfix/mbl-body-deny.download
    
  • dogcat December 19, 2012, 12:16 am

    This article is outdated (something has changed) or totally wrong.

    You cannot postmap regexp.

    Just wget the remote file and use

    body_checks = regexp:/etc/postfix/mbl-body-deny

  • Ro February 7, 2014, 10:00 am

    http://www.malware.com.br/cgi/submit?action=list_postfix

    ################################################################### # WARNING: this block list was discontinued on Oct/07/2013 # according to our previous announcements. # Users are advised to visit https://www.malwarepatrol.net/ # for information on how to continue using our data feed. ###################################################################
    
  • Ro February 7, 2014, 10:17 am
  • Fred December 5, 2014, 10:17 am

    Yes, like reported by Ro, correct link is :

    https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix

    Where receipt= should be followed by your personal Malwarepatrol id once registered
    Since & characters are present into link, to make it work with wget you have to add double-quotas :

    “https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix”

  • Klemen March 24, 2016, 11:36 am

    Here’s a simplified script. Insert your own receipt in there, of course ;)

    #!/usr/bin/bash
    curl -sk 'https://lists.malwarepatrol.net/cgi/getfile?receipt=f1391767429&product=8&list=postfix' | grep -ve '^#' -ve '^$' | sed -e 's/\(.*[^MBL-]\)\(MBL-.*\)/\1/' | sort | uniq -i > /etc/postfix/mbl-body-deny
    postmap /etc/postfix/mbl-body-deny
    systemctl reload postfix

  • Sandra McCollum January 12, 2017, 12:48 am

    Why do people keep using postmap? It seems wrong.

    postmap /etc/postfix/mbl-body-deny

    Should it not be just this added to main.cf:
    body_checks = regexp:/etc/postfix/mbl-body-deny

Security: Are you a robot or human?

Leave a Comment


   Tagged with: , , , , , , , , , ,