I am sure what you really want is more malware ;-). But a few people asked for tricks to collect malware.Malware can be useful for a number of reasons: First of all, you could extract indicators of compromise from malware using various more or less automated methods. In addition, it is a good idea to keep an eye on what your users may be seeing, in particular, if they receive e-mail from sources other than your corporate e-mail system.
Sadly, many corporations these days switch to cloud providers for e-mail. But it can still be useful to setup a relay to pre-filter your e-mail before it hits the cloud provider to get more insight into e-mail that your cloud providers limited logs do not provide.
Personally, I am using postfix, so what I am going to talk about, will be postfix specific (and some procmail... which may be used with other mail servers). If you have similar tricks for other mail servers, then please comment.
(1) improved logging
Quite often, a user (or maybe even an AV system) may flag an e-mail as suspect. If this turns out to be a real malicious e-mail (phishing, malware...), then it is nice to be quickly able to look for other e-mails with the same subject or the same From address. In order to make this easier, I like to have Postfix log From, To and Subject headers. You can easily accomplish this by adding header check. In postfix, header checks can be used to filter e-mail with specific headers. But if you flag them just as a Warning, then the header will be logged. I added the following lines to my header_check file to log the Subject, To, and From:
/^subject:/ WARN/^to:/ WARN/^from:/ WARN/^Subject:/ WARN/^To:/ WARN/^From:/ WARN
You then need to add the following line to your main.cf to use these header checks:
header_checks = regexp:/etc/postfix/header_checks
(/etc/postfix/header_checks is the name of the file. Yours may be different)
you will now see lines like this in your maillog:
Sep 6 15:26:50 mail postfix/cleanup[24158]: 39B0D7FFA9: warning: from=Burnett.84@corporate-change.comto=list@dshield.org proto=ESMTP helo=[39.46.86.81]
Next, a little procmail trick that will get rid of most of current malicious e-mail: A simple check to see if any compressed attachments include known bad extensions:
:0 B{ :0 fbhw | /usr/local/bin/mime-zip-trojan.pl}
mime-zip-trojan.pl is an amazingly simple perl script. You can very easily modify it to extend the extension blacklist. (I cant bring up the site for this script right now. so please trust the Google to find it for you)
The script doesnt block anything, but instead, it just adds a header to the e-mail (X-Zip-Trojan: Yes) that you can then use to filter the e-mail with additional procmail rules.
Finally, you should of course send all e-mail (including e-mail found by mime-zip-trojan.pl) through an AV scanner so you dont waste your time analyzing old malware.
One thing you SHOULD NEVER do: Send all attachments to Virustotal. Virustotal is a great service, and they offer some tools to automate submissions. But do not send anything beyond a hash, unless you are pretty sure it is malicious, and absolutely sure it is not confidential. Any files send to Virustotal are made available to researchers and others.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.