Blocking certain attachments inside zip

Status
Not open for further replies.

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
You probably don't need Spamblocker for this.
If you install Clamav with custombuild, you can have it scan the contents of archives in emails.
 

amphora

Verified User
Joined
Feb 21, 2013
Messages
45
I have clamav running, but it's not detecting it. the malicious files aren't recognized by clamav. spammers are getting smarter, code changes daily
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
You already checked the options in clamd.conf? Maybe enabling the heuristics can be of help.

However your idea might be nice for spamblocker. Probably better to put it in the suggestions section?
 
Last edited:

ozgurerdogan

Verified User
Joined
Apr 20, 2008
Messages
293
There is no option in clamd.conf for heuristic scan. But even putting those virus attachment in a folder and manually scan them does not work.
 

Wupgup

Verified User
Joined
Nov 24, 2014
Messages
6
I've just tested a file (with locky.js) from the 11th of March and it was still not being detected by ClamAV. The daily changes and the fact that the email comes from the users themselves (spoofed) make it a little bit harder to fight this.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Yes I've read it, in your other post. Clamav is not the best scanner, but there is not much choice for linux.

There is no option in clamd.conf for heuristic scan.
Sorry? Did you look in the correct file? The camd.conf file has multiple options which can be enabled for a heuristic scan.
Code:
HeuristicScanPrecedence yes
would probably be the main one, but there are others.
 

tundasrl

Verified User
Joined
May 17, 2008
Messages
34
Yes I've read it, in your other post. Clamav is not the best scanner, but there is not much choice for linux.


Sorry? Did you look in the correct file? The camd.conf file has multiple options which can be enabled for a heuristic scan.
Code:
HeuristicScanPrecedence yes
would probably be the main one, but there are others.
Someone reported it as "broken"

http://www.gossamer-threads.com/lists/clamav/users/65566
 

amphora

Verified User
Joined
Feb 21, 2013
Messages
45
I changed "deny" to "warn" but a message with zipped js is not blocked or tagged as spam
You need to configure spamassassin to give a score with mail that have that header (replace Attachment has unsupported file format inside zip file with whatever text you have in script):
Code:
header CUST_HEADER_ACL_INSIDE_ZIP       X-ACL-Warn =~ /Attachment has unsupported file format inside zip file/
score CUST_HEADER_ACL_INSIDE_ZIP        11
describe        CUST_HEADER_ACL_INSIDE_ZIP      Attachment has unsupported file format inside zip file
 

tundasrl

Verified User
Joined
May 17, 2008
Messages
34
You need to configure spamassassin to give a score with mail that have that header (replace Attachment has unsupported file format inside zip file with whatever text you have in script):
Code:
header CUST_HEADER_ACL_INSIDE_ZIP       X-ACL-Warn =~ /Attachment has unsupported file format inside zip file/
score CUST_HEADER_ACL_INSIDE_ZIP        11
describe        CUST_HEADER_ACL_INSIDE_ZIP      Attachment has unsupported file format inside zip file
Doesn't work. I get the X-ACL-Warn header in the malware message but the spamassassin rule is not triggered

this is a fragment of the actual header of the message

Code:
[COLOR=#333333][FONT=Lucida Grande][B]Forward-Confirmed-ReverseDNS:[/B][/FONT][/COLOR][COLOR=#333333][FONT=Lucida Grande] Reverse and forward lookup success on xxx.xxx.xxx.xxx, -10 Spam score[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande][B]X-ACL-Warn:[/B][/FONT][/COLOR][COLOR=#333333][FONT=Lucida Grande] Unsupported file format inside zip file[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande][B]X-Spam-Score:[/B][/FONT][/COLOR][COLOR=#333333][FONT=Lucida Grande] -1.9 (-)[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande][B]X-Spam-Report:[/B][/FONT][/COLOR][COLOR=#333333][FONT=Lucida Grande] Spam detection software, running on the system "xxxxxxxxxxxxxx",[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande]    has NOT identified this incoming email as spam. The original[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande]    message has been attached to this so you can view it or label[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande]    similar future email. If you have any questions, see
[/FONT][/COLOR]
the spamassassin rule is

Code:
header   CUST_HEADER_ACL_INSIDE_ZIP   X-ACL-Warn =~ /Unsupported file format inside zip file/i
score    CUST_HEADER_ACL_INSIDE_ZIP   30.0
describe CUST_HEADER_ACL_INSIDE_ZIP   Attachment has unsupported file format inside zip file
The ACL contains

Code:
add_header = X-ACL-Warn: Unsupported file format inside zip file
 

amphora

Verified User
Joined
Feb 21, 2013
Messages
45
The ACL doesn't need an add_header. the message in the acl is added as header automatically
 
Status
Not open for further replies.
Top