Without seeing these 2 headers... From and Return-Path, this is a guess. Also you don't say if the encrypted pdf was still virus scanned or didn't show up nor if you restarted amavis. I do see one obvious problem when desk checking your rules. You are scoring -7 points to your trusted sender (provid...

https://forums.zimbra.org/viewtopic.php?f=15&t=64117#p295675 Create a meta rule with SA and negatively score a hit on that rule when it also matches your users and encrypted pdf hit. It seams to me like your solution allows all encrypted PDF's. Is there a way to completely bypass the filters fo...

viewtopic.php?f=15&t=64117#p295675

Create a meta rule with SA and negatively score a hit on that rule when it also matches your users and encrypted pdf hit.

HTH,

Jim

What I am seeing is the email subject and body are base64 encoded. It seems that no checking is being performed on them as they fly straight through two different anti-spam systems I have in play. Interesting, base64 sounds to be a reasonable spam hit as it would be obfuscating the subject line IMO...

Thanks Randy. These call summaries are very much appreciated.

PS. That is fantastic news with regard to Synacor giving Barry the Channel Evangelist role. I look forward to seeing some of his how-to articles.

SA doesn't have any issue with base64 and their rules do run against it. They won't run against if it's an attachment of course but for html or text, they have no problem. Perhaps you could begin to look for patterns when its base64. Here is one we do. full __J_BASE64_HACK /=D[01]=[A-F0-9][A-F0-9][A...

Hi Jim, Thanks very much for this. 8.8.15 Patch 4 ships with SpamAssassin 3.4.1. Are you running Network Edition and if so can you open a support case with Zimbra? Hi Mark, Yes I am. Ticket has been opened with them. Given this seems to be a problem across all platforms, upgrading SA can be done vi...

If you are running spamassassin 3.4.1 or older, new rule updates will fail on March 1, 2020 when the rule checksums will no longer be hashed as sha1. You will require a /opt/zimbra/common/bin/sa-update with sha256/sha512 support to pull updated and new rules. What does this mean? No further rule upg...

I thought I would share my solution since I have a new mobile app that likes to encrypt pdf's and I wasn't going to keep releasing it from quarantine. While the newer clamav updated with 8.7.11.p14 has the concept of encrypted docs vs encrypted archives, that isn't enough granularity when you just w...

Most likely they were dropped if they scored over 15 and you didn't see them delivered to the junk folder of the user. You can verify by doing something like this: % grep -i blocked /var/log/zimbra.log | awk '{print $22,$12}' | sort 48.131, <4383-238-65151-1330-anna=example.com@mail.dancklion.us> 48...