Blocking certain attachments inside zip

Status
Not open for further replies.
You probably don't need Spamblocker for this.
If you install Clamav with custombuild, you can have it scan the contents of archives in emails.
 
I have clamav running, but it's not detecting it. the malicious files aren't recognized by clamav. spammers are getting smarter, code changes daily
 
You already checked the options in clamd.conf? Maybe enabling the heuristics can be of help.

However your idea might be nice for spamblocker. Probably better to put it in the suggestions section?
 
Last edited:
There is no option in clamd.conf for heuristic scan. But even putting those virus attachment in a folder and manually scan them does not work.
 
I've just tested a file (with locky.js) from the 11th of March and it was still not being detected by ClamAV. The daily changes and the fact that the email comes from the users themselves (spoofed) make it a little bit harder to fight this.
 
Yes I've read it, in your other post. Clamav is not the best scanner, but there is not much choice for linux.

There is no option in clamd.conf for heuristic scan.
Sorry? Did you look in the correct file? The camd.conf file has multiple options which can be enabled for a heuristic scan.
Code:
HeuristicScanPrecedence yes
would probably be the main one, but there are others.
 
Yes I've read it, in your other post. Clamav is not the best scanner, but there is not much choice for linux.


Sorry? Did you look in the correct file? The camd.conf file has multiple options which can be enabled for a heuristic scan.
Code:
HeuristicScanPrecedence yes
would probably be the main one, but there are others.

Someone reported it as "broken"

http://www.gossamer-threads.com/lists/clamav/users/65566
 
I changed "deny" to "warn" but a message with zipped js is not blocked or tagged as spam
You need to configure spamassassin to give a score with mail that have that header (replace Attachment has unsupported file format inside zip file with whatever text you have in script):
Code:
header CUST_HEADER_ACL_INSIDE_ZIP       X-ACL-Warn =~ /Attachment has unsupported file format inside zip file/
score CUST_HEADER_ACL_INSIDE_ZIP        11
describe        CUST_HEADER_ACL_INSIDE_ZIP      Attachment has unsupported file format inside zip file
 
You need to configure spamassassin to give a score with mail that have that header (replace Attachment has unsupported file format inside zip file with whatever text you have in script):
Code:
header CUST_HEADER_ACL_INSIDE_ZIP       X-ACL-Warn =~ /Attachment has unsupported file format inside zip file/
score CUST_HEADER_ACL_INSIDE_ZIP        11
describe        CUST_HEADER_ACL_INSIDE_ZIP      Attachment has unsupported file format inside zip file

Doesn't work. I get the X-ACL-Warn header in the malware message but the spamassassin rule is not triggered

this is a fragment of the actual header of the message

Code:
[COLOR=#333333][FONT=Lucida Grande][B]Forward-Confirmed-ReverseDNS:[/B][/FONT][/COLOR][COLOR=#333333][FONT=Lucida Grande] Reverse and forward lookup success on xxx.xxx.xxx.xxx, -10 Spam score[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande][B]X-ACL-Warn:[/B][/FONT][/COLOR][COLOR=#333333][FONT=Lucida Grande] Unsupported file format inside zip file[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande][B]X-Spam-Score:[/B][/FONT][/COLOR][COLOR=#333333][FONT=Lucida Grande] -1.9 (-)[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande][B]X-Spam-Report:[/B][/FONT][/COLOR][COLOR=#333333][FONT=Lucida Grande] Spam detection software, running on the system "xxxxxxxxxxxxxx",[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande]    has NOT identified this incoming email as spam. The original[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande]    message has been attached to this so you can view it or label[/FONT][/COLOR]
[COLOR=#333333][FONT=Lucida Grande]    similar future email. If you have any questions, see
[/FONT][/COLOR]

the spamassassin rule is

Code:
header   CUST_HEADER_ACL_INSIDE_ZIP   X-ACL-Warn =~ /Unsupported file format inside zip file/i
score    CUST_HEADER_ACL_INSIDE_ZIP   30.0
describe CUST_HEADER_ACL_INSIDE_ZIP   Attachment has unsupported file format inside zip file

The ACL contains

Code:
add_header = X-ACL-Warn: Unsupported file format inside zip file
 
The ACL doesn't need an add_header. the message in the acl is added as header automatically
 
Status
Not open for further replies.
Back
Top