On Wed 27/Jul/2016 17:48:26 +0200 SZÉPE Viktor wrote: > You may block messages with executable attachment > (exe,com,scr,pif,bat,cmd,vbs,js ...) > and zip-s with executable in them.
Also any documents with macros, according to this picture: http://christophe.rieunier.name/securite/Dridex/20150608_dropper/Dridex_dropper_analysis.php#vue_globale > Idézem/Quoting Jérôme Blion <jerome.bl...@free.fr>: >> >> I added clamav-unofficial-sigs but as the attachment is built on the >> fly, it's quite useless. The ransomware you mention seems to be dealt with by badmacro.ndb, phish.ndb, foxhole_filename.cdb, and foxhole_js.cdb, according to: http://sanesecurity.blogspot.com/2015/11/dridex-macro-malware-summary.html http://sanesecurity.blogspot.com/2016/07/bank-account-report-with-attached-zip.html Check the download script to see if any of them goes in the clamav directory. >> Which solution did you implement to filter that Junk ? The point is false positives. I try to mitigate unacceptable rates by temporarily passing certain "viruses". Specifically, messages infected by Heuristics.* and Sanesecurity.* get an added header field rather than being dropped outright. I use zdkimfilter's action_header option to whitelist them, later in the filters list. For example, there is an Italian bank which sends html newsletters with lots of social links which trigger phish.ndb rules. However, the bank has a decent dnswl score, so its messages pass because of dnswl_worthiness_pass. (If that isn't obvious, those two zdkimfilter options are documented in: http://www.tana.it/sw/zdkimfilter/zdkimfilter.conf.html) Ale -- ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users