spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Recent spate of Malicious VB attachments II
Date Thu, 19 Feb 2015 13:58:10 GMT

Am 19.02.2015 um 14:46 schrieb Chad M Stewart:
> I use amavis-new and block based on file type.  My users should never get legit executables
via email, so they are sent to a quarantine.
>
> ### BLOCKED ANYWHERE
> # qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
>    qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
>    qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types
>
>
>    # block certain double extensions in filenames
>    qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
>
>    qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic

well, that can you achieve directly on the MTA but that won't help in 
case of "emails containing MS office attachments with a Malicious VB script"

cat /etc/postfix/mime_header_checks.cf
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* = 
\s*"?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x

REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"

(.rar because ClamAV can't scan the content on Fedora)


Mime
View raw message