You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Thomas Barth <tb...@txbweb.de> on 2016/02/01 13:48:08 UTC
How to reject all mails with docs attached?
Hi,
for a week or so I get a lot of mails with bills as doc-documents and
Spamassassin is actually not able to mark it as spam. The documents
contain a macro. AMaVis is configured to reject all spam-mails directly
(no store&forward). How can I configure Spamassassin to mark all mails
with doc-documents attached as spam? I need some time for preparing an
complete update of my first mailserver (Debian / Postfix / courier /
AMaVis / Spamassassin / ClamAV).
Thomas B
Re: How to reject all mails with docs attached?
Posted by RW <rw...@googlemail.com>.
On Mon, 01 Feb 2016 13:06:15 +0000
Martin Gregorie wrote:
> Install the MimeMagic plugin if you haven't already done so. This lets
> you write rules against an attachment's Mime header,
I've not heard of MimeMagic, but what you are describing sounds like
MIMEHeader, which is a standard part of SA and on by default.
Re: How to reject all mails with docs attached?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2016-02-01 at 13:48 +0100, Thomas Barth wrote:
> Hi,
> for a week or so I get a lot of mails with bills as doc-documents and
> Spamassassin is actually not able to mark it as spam. The documents
> contain a macro. AMaVis is configured to reject all spam-mails
> directly
> (no store&forward). How can I configure Spamassassin to mark all
> mails
> with doc-documents attached as spam?
>
Install the MimeMagic plugin if you haven't already done so. This lets
you write rules against an attachment's Mime header, for instance to
recognise *.doc filenames, and to detect mismatches between the content
type and the file name. You can also use normal body rules to inspect
the contents of an attachment.
Martin
Re: How to reject all mails with docs attached?
Posted by Paul Stead <pa...@zeninternet.co.uk>.
On 01/02/16 12:48, Thomas Barth wrote:
> Hi,
> for a week or so I get a lot of mails with bills as doc-documents and
> Spamassassin is actually not able to mark it as spam. The documents
> contain a macro.
I find that the Sanesecurity Badmacro rules are catching these nicely -
http://sanesecurity.com/usage/signatures/
--
Paul Stead
Systems Engineer
Zen Internet
Re: How to reject all mails with docs attached?
Posted by Thomas Barth <tb...@txbweb.de>.
Ok thank you for your solution. I also found the definitions in the
amavis conf file 20-debian_defaults
root@mailserver1 /etc # grep -nri "exe" /etc/amavis/
/etc/amavis/conf.d/20-debian_defaults:115:
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
/etc/amavis/conf.d/20-debian_defaults:133:
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
/etc/amavis/conf.d/20-debian_defaults:134:#
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
/etc/amavis/conf.d/20-debian_defaults:141:
qr'^\.(exe-ms)$', # banned file(1) types
/etc/amavis/conf.d/20-debian_defaults:142:#
qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
Thomas B
Am 01.02.2016 um 15:09 schrieb Reindl Harald:
>
>
> Am 01.02.2016 um 15:05 schrieb Thomas Barth:
>> No viruses were found.
>> Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
>> Content type: Banned
>> Not quarantined.
>> The message WAS NOT relayed to:
>> xxx
>> 554 5.7.0 Reject, id=09201-09 - BANNED:
>> .exe,.exe-ms,23676883772984656662(1).doc.exe
>>
>> This message is a test result of ClamAV? I would like to add .doc as
>> banned name
>
> sounds like amavis and as already suggested: reject it at smtpd level
>
> mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf
>
> [root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf
> # Reject Attachment Extensions
> /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
> \s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x
> REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"
>
>
>> Am 01.02.2016 um 13:50 schrieb Reindl Harald:
>>>
>>> Am 01.02.2016 um 13:48 schrieb Thomas Barth:
>>>> for a week or so I get a lot of mails with bills as doc-documents and
>>>> Spamassassin is actually not able to mark it as spam
>>>
>>> it is able
>>>
>>> combined BAYES scores and other rules on a proper trained SA leads to
>>> 99.9% milter-reject rate of these malware mails here
>
Re: How to reject all mails with docs attached?
Posted by Reindl Harald <h....@thelounge.net>.
Am 01.02.2016 um 17:22 schrieb Thomas Barth:
> Hi,
> txbweb.de is my private address only for testing and learning. The
> domain of the company I m working for is affected. And for this company
> domain it already exists an spf entry.
>
> root@mailserver1 /etc # host -t TXT domain.de
> domain.de descriptive text "v=spf1 ip4:188.40.xxx.xx -all"
>
> And that means that only our mailserver should be allowed to send mails
> with our domain, am I right? Working SPF checking mailservers should
> block the email from spammers, because their ip-addresses are different
> from our domain ip address?
yes "-all" means "hard SPF policy"
at least SPamAssassin and other solutions would give scores for
SPF_HARD_FAIL and/or SPF_SOFT_FAIL - the main point is in case of such
forged mail that someone is able to distinct that it did not come from
the domains servers before penalty the sender
> Am 01.02.2016 um 16:26 schrieb Reindl Harald:
>> maybe you learn about SPF then......
>>
>> Am 01.02.2016 um 16:23 schrieb Thomas Barth:
>>> The Mails with docs attached are getting rejected successfully. I m
>>> getting a lot of these mails from a botnet now, each mail with a
>>> different generated mail suffix, but always with our top level domain. I
>>> hope that we dont get problems that the spammers are using our main
>>> domain for spreading their spam :-/
>>
>> [harry@rh:~]$ dig TXT txbweb.de
>> ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> TXT txbweb.de
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13842
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 1024
>> ;; QUESTION SECTION:
>> ;txbweb.de. IN TXT
>>
>> ;; AUTHORITY SECTION:
>> txbweb.de. 120 IN SOA dns1.kontent.com.
>> hostmaster.kontent.com. 2015050806 10800 3600 604800 86400
>>
>> ;; Query time: 115 msec
>> ;; SERVER: 10.0.0.6#53(10.0.0.6)
>> ;; WHEN: Mo Feb 01 16:24:56 CET 2016
>> ;; MSG SIZE rcvd: 101
>>
>>> Am 01.02.2016 um 15:09 schrieb Reindl Harald:
>>>>
>>>>
>>>> Am 01.02.2016 um 15:05 schrieb Thomas Barth:
>>>>> No viruses were found.
>>>>> Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
>>>>> Content type: Banned
>>>>> Not quarantined.
>>>>> The message WAS NOT relayed to:
>>>>> xxx
>>>>> 554 5.7.0 Reject, id=09201-09 - BANNED:
>>>>> .exe,.exe-ms,23676883772984656662(1).doc.exe
>>>>>
>>>>> This message is a test result of ClamAV? I would like to add .doc as
>>>>> banned name
>>>>
>>>> sounds like amavis and as already suggested: reject it at smtpd level
>>>>
>>>> mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf
>>>>
>>>> [root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf
>>>> # Reject Attachment Extensions
>>>> /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
>>>> \s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x
>>>>
>>>> REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"
>>>>
>>>>
>>>>> Am 01.02.2016 um 13:50 schrieb Reindl Harald:
>>>>>>
>>>>>> Am 01.02.2016 um 13:48 schrieb Thomas Barth:
>>>>>>> for a week or so I get a lot of mails with bills as doc-documents
>>>>>>> and
>>>>>>> Spamassassin is actually not able to mark it as spam
>>>>>>
>>>>>> it is able
>>>>>>
>>>>>> combined BAYES scores and other rules on a proper trained SA leads to
>>>>>> 99.9% milter-reject rate of these malware mails here
Re: How to reject all mails with docs attached?
Posted by Thomas Barth <tb...@txbweb.de>.
Hi,
txbweb.de is my private address only for testing and learning. The
domain of the company I m working for is affected. And for this company
domain it already exists an spf entry.
root@mailserver1 /etc # host -t TXT domain.de
domain.de descriptive text "v=spf1 ip4:188.40.xxx.xx -all"
And that means that only our mailserver should be allowed to send mails
with our domain, am I right? Working SPF checking mailservers should
block the email from spammers, because their ip-addresses are different
from our domain ip address?
Thomas B
Am 01.02.2016 um 16:26 schrieb Reindl Harald:
> maybe you learn about SPF then......
>
> Am 01.02.2016 um 16:23 schrieb Thomas Barth:
>> The Mails with docs attached are getting rejected successfully. I m
>> getting a lot of these mails from a botnet now, each mail with a
>> different generated mail suffix, but always with our top level domain. I
>> hope that we dont get problems that the spammers are using our main
>> domain for spreading their spam :-/
>
> [harry@rh:~]$ dig TXT txbweb.de
> ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> TXT txbweb.de
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13842
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1024
> ;; QUESTION SECTION:
> ;txbweb.de. IN TXT
>
> ;; AUTHORITY SECTION:
> txbweb.de. 120 IN SOA dns1.kontent.com.
> hostmaster.kontent.com. 2015050806 10800 3600 604800 86400
>
> ;; Query time: 115 msec
> ;; SERVER: 10.0.0.6#53(10.0.0.6)
> ;; WHEN: Mo Feb 01 16:24:56 CET 2016
> ;; MSG SIZE rcvd: 101
>
>> Am 01.02.2016 um 15:09 schrieb Reindl Harald:
>>>
>>>
>>> Am 01.02.2016 um 15:05 schrieb Thomas Barth:
>>>> No viruses were found.
>>>> Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
>>>> Content type: Banned
>>>> Not quarantined.
>>>> The message WAS NOT relayed to:
>>>> xxx
>>>> 554 5.7.0 Reject, id=09201-09 - BANNED:
>>>> .exe,.exe-ms,23676883772984656662(1).doc.exe
>>>>
>>>> This message is a test result of ClamAV? I would like to add .doc as
>>>> banned name
>>>
>>> sounds like amavis and as already suggested: reject it at smtpd level
>>>
>>> mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf
>>>
>>> [root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf
>>> # Reject Attachment Extensions
>>> /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
>>> \s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x
>>>
>>> REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"
>>>
>>>
>>>> Am 01.02.2016 um 13:50 schrieb Reindl Harald:
>>>>>
>>>>> Am 01.02.2016 um 13:48 schrieb Thomas Barth:
>>>>>> for a week or so I get a lot of mails with bills as doc-documents
>>>>>> and
>>>>>> Spamassassin is actually not able to mark it as spam
>>>>>
>>>>> it is able
>>>>>
>>>>> combined BAYES scores and other rules on a proper trained SA leads to
>>>>> 99.9% milter-reject rate of these malware mails here
>
Re: How to reject all mails with docs attached?
Posted by Reindl Harald <h....@thelounge.net>.
maybe you learn about SPF then......
Am 01.02.2016 um 16:23 schrieb Thomas Barth:
> The Mails with docs attached are getting rejected successfully. I m
> getting a lot of these mails from a botnet now, each mail with a
> different generated mail suffix, but always with our top level domain. I
> hope that we dont get problems that the spammers are using our main
> domain for spreading their spam :-/
[harry@rh:~]$ dig TXT txbweb.de
; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> TXT txbweb.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13842
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;txbweb.de. IN TXT
;; AUTHORITY SECTION:
txbweb.de. 120 IN SOA dns1.kontent.com.
hostmaster.kontent.com. 2015050806 10800 3600 604800 86400
;; Query time: 115 msec
;; SERVER: 10.0.0.6#53(10.0.0.6)
;; WHEN: Mo Feb 01 16:24:56 CET 2016
;; MSG SIZE rcvd: 101
> Am 01.02.2016 um 15:09 schrieb Reindl Harald:
>>
>>
>> Am 01.02.2016 um 15:05 schrieb Thomas Barth:
>>> No viruses were found.
>>> Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
>>> Content type: Banned
>>> Not quarantined.
>>> The message WAS NOT relayed to:
>>> xxx
>>> 554 5.7.0 Reject, id=09201-09 - BANNED:
>>> .exe,.exe-ms,23676883772984656662(1).doc.exe
>>>
>>> This message is a test result of ClamAV? I would like to add .doc as
>>> banned name
>>
>> sounds like amavis and as already suggested: reject it at smtpd level
>>
>> mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf
>>
>> [root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf
>> # Reject Attachment Extensions
>> /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
>> \s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x
>> REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"
>>
>>
>>> Am 01.02.2016 um 13:50 schrieb Reindl Harald:
>>>>
>>>> Am 01.02.2016 um 13:48 schrieb Thomas Barth:
>>>>> for a week or so I get a lot of mails with bills as doc-documents and
>>>>> Spamassassin is actually not able to mark it as spam
>>>>
>>>> it is able
>>>>
>>>> combined BAYES scores and other rules on a proper trained SA leads to
>>>> 99.9% milter-reject rate of these malware mails here
Re: How to reject all mails with docs attached?
Posted by Thomas Barth <tb...@txbweb.de>.
The Mails with docs attached are getting rejected successfully. I m
getting a lot of these mails from a botnet now, each mail with a
different generated mail suffix, but always with our top level domain. I
hope that we dont get problems that the spammers are using our main
domain for spreading their spam :-/
Thomas B
Am 01.02.2016 um 15:09 schrieb Reindl Harald:
>
>
> Am 01.02.2016 um 15:05 schrieb Thomas Barth:
>> No viruses were found.
>> Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
>> Content type: Banned
>> Not quarantined.
>> The message WAS NOT relayed to:
>> xxx
>> 554 5.7.0 Reject, id=09201-09 - BANNED:
>> .exe,.exe-ms,23676883772984656662(1).doc.exe
>>
>> This message is a test result of ClamAV? I would like to add .doc as
>> banned name
>
> sounds like amavis and as already suggested: reject it at smtpd level
>
> mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf
>
> [root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf
> # Reject Attachment Extensions
> /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
> \s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x
> REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"
>
>
>> Am 01.02.2016 um 13:50 schrieb Reindl Harald:
>>>
>>> Am 01.02.2016 um 13:48 schrieb Thomas Barth:
>>>> for a week or so I get a lot of mails with bills as doc-documents and
>>>> Spamassassin is actually not able to mark it as spam
>>>
>>> it is able
>>>
>>> combined BAYES scores and other rules on a proper trained SA leads to
>>> 99.9% milter-reject rate of these malware mails here
>
Re: How to reject all mails with docs attached?
Posted by Reindl Harald <h....@thelounge.net>.
Am 01.02.2016 um 15:05 schrieb Thomas Barth:
> No viruses were found.
> Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
> Content type: Banned
> Not quarantined.
> The message WAS NOT relayed to:
> xxx
> 554 5.7.0 Reject, id=09201-09 - BANNED:
> .exe,.exe-ms,23676883772984656662(1).doc.exe
>
> This message is a test result of ClamAV? I would like to add .doc as
> banned name
sounds like amavis and as already suggested: reject it at smtpd level
mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf
[root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf
# Reject Attachment Extensions
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
\s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x
REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"
> Am 01.02.2016 um 13:50 schrieb Reindl Harald:
>>
>> Am 01.02.2016 um 13:48 schrieb Thomas Barth:
>>> for a week or so I get a lot of mails with bills as doc-documents and
>>> Spamassassin is actually not able to mark it as spam
>>
>> it is able
>>
>> combined BAYES scores and other rules on a proper trained SA leads to
>> 99.9% milter-reject rate of these malware mails here
Re: How to reject all mails with docs attached?
Posted by Thomas Barth <tb...@txbweb.de>.
Hi,
but the system is already configured to bann mails with special
documents attached, even when no virus were found. Here is an example
message I get when a message wasnt relayed to recipient:
content_banned.txt
BANNED contents (.exe,.exe-ms,23676883772984656662(1).doc.exe) in mail FROM
[xxx] <im...@yahoo.com.au>
No viruses were found.
Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
Content type: Banned
Internal reference code for the message is 09201-09/1bBb09PEuZHK
First upstream SMTP client IP address: [xxx]
xxx
According to a 'Received:' trace, the message originated at: [xxx],
[xxx] account impregnatingyrk55@yahoo.com.au HELO
znwflfubbbqunrr.yfudaqirzgog.net
Return-Path: <im...@yahoo.com.au>
From: info@yahoo.com.au
Message-ID: <e8...@qxcfrc.fvuwdwyqpeue.pt>
Subject: frent bill
Not quarantined.
The message WAS NOT relayed to:
xxx
554 5.7.0 Reject, id=09201-09 - BANNED:
.exe,.exe-ms,23676883772984656662(1).doc.exe
This message is a test result of ClamAV? I would like to add .doc as
banned name
Thomas B
Am 01.02.2016 um 13:50 schrieb Reindl Harald:
>
>
> Am 01.02.2016 um 13:48 schrieb Thomas Barth:
>> for a week or so I get a lot of mails with bills as doc-documents and
>> Spamassassin is actually not able to mark it as spam
>
> it is able
>
> combined BAYES scores and other rules on a proper trained SA leads to
> 99.9% milter-reject rate of these malware mails here
>
Re: How to reject all mails with docs attached?
Posted by Reindl Harald <h....@thelounge.net>.
Am 01.02.2016 um 13:48 schrieb Thomas Barth:
> for a week or so I get a lot of mails with bills as doc-documents and
> Spamassassin is actually not able to mark it as spam
it is able
combined BAYES scores and other rules on a proper trained SA leads to
99.9% milter-reject rate of these malware mails here
Re: How to reject all mails with docs attached?
Posted by Robert Schetterer <rs...@sys4.de>.
Am 01.02.2016 um 16:23 schrieb Benny Pedersen:
> On 2016-02-01 13:57, Axb wrote:
>
>> SA mimeheader rules
>> To save cycles, I'd opt for rejecting at smtp level with Postfix mime
>> header checks.
>
> postfix mime is not as good as clamav-milter, if one really want to
> limit resources use milter-regex, but that have no unpack of malware in
> zip/rar or other compressed archives like zip with a scr screen savers
> with fish in the aquarium :=)
you may combine
postfix body_checks i.e
^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\
*"?.*\.(lnk|asd|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\
*$/ REJECT
or amavis policy
or with sieve/dovecot
https://sys4.de/de/blog/2016/01/22/content-blocking-mit-sieve/
maildrop
is so old ,heres some post
http://sourceforge.net/p/courier/mailman/message/4591641/
spamassassin ( never used it like this )
http://jrs-s.net/2013/06/14/block-common-trojans-in-spamassassin/
best is that clam will detect the problem
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Re: How to reject all mails with docs attached?
Posted by Benny Pedersen <me...@junc.eu>.
On 2016-02-01 13:57, Axb wrote:
> SA mimeheader rules
> To save cycles, I'd opt for rejecting at smtp level with Postfix mime
> header checks.
postfix mime is not as good as clamav-milter, if one really want to
limit resources use milter-regex, but that have no unpack of malware in
zip/rar or other compressed archives like zip with a scr screen savers
with fish in the aquarium :=)
Re: How to reject all mails with docs attached?
Posted by Axb <ax...@gmail.com>.
On 02/01/2016 01:48 PM, Thomas Barth wrote:
> Hi,
> for a week or so I get a lot of mails with bills as doc-documents and
> Spamassassin is actually not able to mark it as spam. The documents
> contain a macro. AMaVis is configured to reject all spam-mails directly
> (no store&forward). How can I configure Spamassassin to mark all mails
> with doc-documents attached as spam? I need some time for preparing an
> complete update of my first mailserver (Debian / Postfix / courier /
> AMaVis / Spamassassin / ClamAV).
SA mimeheader rules
To save cycles, I'd opt for rejecting at smtp level with Postfix mime
header checks.