On Wed 27/Jul/2016 17:48:26 +0200 SZÉPE Viktor wrote:
> You may block messages with executable attachment
> (exe,com,scr,pif,bat,cmd,vbs,js ...)
> and zip-s with executable in them.

Also any documents with macros, according to this picture:
http://christophe.rieunier.name/securite/Dridex/20150608_dropper/Dridex_dropper_analysis.php#vue_globale

> Idézem/Quoting Jérôme Blion <jerome.bl...@free.fr>:
>>
>> I added clamav-unofficial-sigs but as the attachment is built on the
>> fly, it's quite useless.

The ransomware you mention seems to be dealt with by badmacro.ndb, phish.ndb, 
foxhole_filename.cdb, and foxhole_js.cdb, according to:
http://sanesecurity.blogspot.com/2015/11/dridex-macro-malware-summary.html
http://sanesecurity.blogspot.com/2016/07/bank-account-report-with-attached-zip.html

Check the download script to see if any of them goes in the clamav directory.

>> Which solution did you implement to filter that Junk ?

The point is false positives.

I try to mitigate unacceptable rates by temporarily passing certain "viruses". 
Specifically, messages infected by Heuristics.* and Sanesecurity.* get an added 
header field rather than being dropped outright.  I use zdkimfilter's 
action_header option to whitelist them, later in the filters list.  For 
example, there is an Italian bank which sends html newsletters with lots of 
social links which trigger phish.ndb rules.  However, the bank has a decent 
dnswl score, so its messages pass because of dnswl_worthiness_pass.  (If that 
isn't obvious, those two zdkimfilter options are documented in:
http://www.tana.it/sw/zdkimfilter/zdkimfilter.conf.html)

Ale
-- 




























------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to