Re: How to reject all mails with docs attached?

Mon, 01 Feb 2016 07:34:20 -0800 

maybe you learn about SPF then......

Am 01.02.2016 um 16:23 schrieb Thomas Barth:

The Mails with docs attached are getting rejected successfully. I m
getting a lot of these mails from a botnet now, each mail with a
different generated mail suffix, but always with our top level domain. I
hope that we dont get problems that the spammers are using our main
domain for spreading their spam :-/


[harry@rh:~]$ dig TXT txbweb.de
; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> TXT txbweb.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13842
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;txbweb.de.                     IN      TXT

;; AUTHORITY SECTION:

txbweb.de.              120     IN      SOA     dns1.kontent.com. 
hostmaster.kontent.com. 2015050806 10800 3600 604800 86400


;; Query time: 115 msec
;; SERVER: 10.0.0.6#53(10.0.0.6)
;; WHEN: Mo Feb 01 16:24:56 CET 2016
;; MSG SIZE  rcvd: 101


Am 01.02.2016 um 15:09 schrieb Reindl Harald:



Am 01.02.2016 um 15:05 schrieb Thomas Barth:

No viruses were found.
Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
Content type: Banned
Not quarantined.
The message WAS NOT relayed to:
xxx
554 5.7.0 Reject, id=09201-09 - BANNED:
.exe,.exe-ms,23676883772984656662(1).doc.exe

This message is a test result of ClamAV? I would like to add .doc as
banned name


sounds like amavis and as already suggested: reject it at smtpd level

mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf

[root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf
# Reject Attachment Extensions
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
\s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x
REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"



Am 01.02.2016 um 13:50 schrieb Reindl Harald:


Am 01.02.2016 um 13:48 schrieb Thomas Barth:

for a week or so I get a lot of mails with bills as doc-documents and
Spamassassin is actually not able to mark it as spam


it is able

combined BAYES scores and other rules on a proper trained SA leads to
99.9% milter-reject rate of these malware mails here





Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to