how to prevent email with ransomware in attachment ?

[ingenetic]

hi all,
please help , this month we already receive a lot of email from someone we don't know which the email contain an attachment (ransomware).
as i know , they send email "TO" someone not exist in my user zimbra account .

for example this original email :

Content-Type: multipart/mixed; boundary="===============1249967981=="
MIME-Version: 1.0
Subject: Request for Quotation of Screw Decanter Centrifuge_CE1
Project/AA167194000000 (Muhan Technical)
To: Odsuren Batgerel <odsuren.batgerel.me12@eng.nssmc.com>
From: "Odsuren Batgerel" <odsuren.batgerel.me12@eng.nssmc.com>
Date: Mon, 11 May 2020 19:32:34 -0700

\

the email from them self to them self, but it's coming to my inbox (which not our mail domain).

is there anyway to block email like above to incoming to my zimbra users inbox ?

please advice.

Regards,

[BradC]

is there anyway to block email like above to incoming to my zimbra users inbox ?

Probably not unless you set up a specific rule in the spam filter. If you check the E-mail headers your address will be in the envelope address. The spammers use a forged to and from and put your address (and thousands of others) in the BCC, either sent directly or through an open relay.

[ingenetic]

is there anyway to block email like above to incoming to my zimbra users inbox ?

Probably not unless you set up a specific rule in the spam filter. If you check the E-mail headers your address will be in the envelope address. The spammers use a forged to and from and put your address (and thousands of others) in the BCC, either sent directly or through an open relay.

Hi BradC,
can u give an example about set up a specific rule in the spam filter ?
coz i'm not expert in zimbra.

Thanks n regards,

[zimico]

Hi,
You can use the following rule (put it in /opt/zimbra/data/spamassasin/localrules/sauser.cfg. I learned this from Mr. Jim (JDunphy):

Code: Select all

# Protect against sproofing
header __Z_FROM_BODY From =~ /example\.com/i
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score  Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same

# Do not want to receive message when there is no my domain in To field:
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0

# Do not want to receive message from strange domain
header   __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header   __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta     Z_DOMAIN_SPAM_TLD      (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score    Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware

You can also do this:

Code: Select all

header UNDISC_RECIPS    To =~ /^undisclosed-recipients?:s*;$/
describe UNDISC_RECIPS    Valid-looking "undisclosed-recipients:;"
score UNDISC_RECIPS 2.5
header FAKED_UNDISC_RECIPS    To =~ /undisclosed[_ ]*recipient(?:s[^:]|[^s])/i
describe FAKED_UNDISC_RECIPS    Probably faked or non RFC "Undisclosed Recipients"
score FAKED_UNDISC_RECIPS 3.0

Regards,
Minh.

[ingenetic]

Hi,
You can use the following rule (put it in /opt/zimbra/data/spamassasin/localrules/sauser.cfg. I learned this from Mr. Jim (JDunphy):

Code: Select all

# Protect against sproofing
header __Z_FROM_BODY From =~ /example\.com/i
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score  Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same

# Do not want to receive message when there is no my domain in To field:
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0

# Do not want to receive message from strange domain
header   __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header   __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta     Z_DOMAIN_SPAM_TLD      (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score    Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware

You can also do this:

Code: Select all

header UNDISC_RECIPS    To =~ /^undisclosed-recipients?:s*;$/
describe UNDISC_RECIPS    Valid-looking "undisclosed-recipients:;"
score UNDISC_RECIPS 2.5
header FAKED_UNDISC_RECIPS    To =~ /undisclosed[_ ]*recipient(?:s[^:]|[^s])/i
describe FAKED_UNDISC_RECIPS    Probably faked or non RFC "Undisclosed Recipients"
score FAKED_UNDISC_RECIPS 3.0

Regards,
Minh.

hi zimico,

i can't find file sauser.cfg in my zimbra /opt/zimbra/data/spamassassin/localrules/
is it create a new file with name sauser.cfg ?
if yes,
which user that have to create the file ? as root or as zimbra user ?
after i created the file,

what command that i have to run , so the sauser.cfg file is working ?
can u tell me more detail ?

Thanks n regards,

[zimico]

Hi,
The exact file location on Zimbra 8.8 is: /opt/zimbra/data/spamassassin/localrules/sauser.cf

Code: Select all

-rw-r----- 1 zimbra zimbra 14740 Aug 31 10:35 /opt/zimbra/data/spamassassin/localrules/sauser.cf


If you do not have this file you can create it.
Regards,
Minh

[ingenetic]

Hi, Zimico

i have some question about code below :

# Protect against sproofing
header __Z_FROM_BODY From =~ /example\.com/i <== is it using my domain ? =~ /mydomain\.net/i ?
header __Z_FROM_BODY From =~ /example\.com/i <== is it using my domain ? =~ /mydomain\.net/i ?
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i <=== =~ /\@mydomain.net/i ?
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same

# Do not want to receive message when there is no my domain in To field: <== what kind of email will reject by this code ?
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0

# Do not want to receive message from strange domain
header __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta Z_DOMAIN_SPAM_TLD (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same

# Do not want to receive message when there is no my domain in To field: <== what kind of email will reject by this code ?
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0

# Do not want to receive message from strange domain
header __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta Z_DOMAIN_SPAM_TLD (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware

and after i create the file, is there any command that i have to run ?

please advice.

Regards,

[zimico]

Hi,
Please replace example.com with your real domain.
You should test your configuration by running:
$/opt/zimbra/common/bin/spamassassin --lint
After that, restart your antispam:
$zmantispamctl restart
Regards
Minh.

[ingenetic]

Hi,
Please replace example.com with your real domain.
You should test your configuration by running:
$/opt/zimbra/common/bin/spamassassin --lint
After that, restart your antispam:
$zmantispamctl restart
Regards
Minh.

Hi Minh,
i just putted the script in /opt/zimbra/data/spamassassin/localrules/sauser.cf


when i typed : /opt/zimbra/common/bin/spamassassin --lint

here the result :

bash: /opt/zimbra/common/bin/spamassassin: No such file or directory

or can i put this script in :

vi /opt/zimbra/data/spamassassin/localrules/salocal.cf ??

please advice


Regards,

Ign

[zimico]

Hi,
Which Zimbra version are you using?
zmcontrol -v
I am using Zimbra 8.8.15, if you are using old zimbra version, please google for the exact path.
You should put all your customization config in sauser.cf as Zimbra's suggestion.
Regards,
Minh.