how to prevent email with ransomware in attachment ?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
ingenetic
Posts: 42
Joined: Wed Feb 19, 2020 3:01 pm

how to prevent email with ransomware in attachment ?

Postby ingenetic » Thu May 14, 2020 3:16 am

hi all,
please help , this month we already receive a lot of email from someone we don't know which the email contain an attachment (ransomware).
as i know , they send email "TO" someone not exist in my user zimbra account .

for example this original email :

Content-Type: multipart/mixed; boundary="===============1249967981=="
MIME-Version: 1.0
Subject: Request for Quotation of Screw Decanter Centrifuge_CE1
Project/AA167194000000 (Muhan Technical)
To: Odsuren Batgerel <odsuren.batgerel.me12@eng.nssmc.com>
From: "Odsuren Batgerel" <odsuren.batgerel.me12@eng.nssmc.com>
Date: Mon, 11 May 2020 19:32:34 -0700
\

the email from them self to them self, but it's coming to my inbox (which not our mail domain).

is there anyway to block email like above to incoming to my zimbra users inbox ?

please advice.

Regards,
Attachments
2.JPG
2.JPG (42.34 KiB) Viewed 2216 times
1.JPG
1.JPG (50.84 KiB) Viewed 2216 times


BradC
Advanced member
Advanced member
Posts: 75
Joined: Tue May 03, 2016 1:39 am

Re: how to prevent email with ransomware in attachment ?

Postby BradC » Thu May 14, 2020 6:07 am

ingenetic wrote:is there anyway to block email like above to incoming to my zimbra users inbox ?


Probably not unless you set up a specific rule in the spam filter. If you check the E-mail headers your address will be in the envelope address. The spammers use a forged to and from and put your address (and thousands of others) in the BCC, either sent directly or through an open relay.
ingenetic
Posts: 42
Joined: Wed Feb 19, 2020 3:01 pm

Re: how to prevent email with ransomware in attachment ?

Postby ingenetic » Sat Aug 29, 2020 2:16 pm

BradC wrote:
ingenetic wrote:is there anyway to block email like above to incoming to my zimbra users inbox ?


Probably not unless you set up a specific rule in the spam filter. If you check the E-mail headers your address will be in the envelope address. The spammers use a forged to and from and put your address (and thousands of others) in the BCC, either sent directly or through an open relay.


Hi BradC,
can u give an example about set up a specific rule in the spam filter ?
coz i'm not expert in zimbra.

Thanks n regards,
User avatar
zimico
Advanced member
Advanced member
Posts: 187
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: how to prevent email with ransomware in attachment ?

Postby zimico » Sat Aug 29, 2020 3:36 pm

Hi,
You can use the following rule (put it in /opt/zimbra/data/spamassasin/localrules/sauser.cfg. I learned this from Mr. Jim (JDunphy):

Code: Select all

# Protect against sproofing
header __Z_FROM_BODY From =~ /example\.com/i
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score  Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same

# Do not want to receive message when there is no my domain in To field:
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0

# Do not want to receive message from strange domain
header   __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header   __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta     Z_DOMAIN_SPAM_TLD      (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score    Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware


You can also do this:

Code: Select all

header UNDISC_RECIPS    To =~ /^undisclosed-recipients?:s*;$/
describe UNDISC_RECIPS    Valid-looking "undisclosed-recipients:;"
score UNDISC_RECIPS 2.5
header FAKED_UNDISC_RECIPS    To =~ /undisclosed[_ ]*recipient(?:s[^:]|[^s])/i
describe FAKED_UNDISC_RECIPS    Probably faked or non RFC "Undisclosed Recipients"
score FAKED_UNDISC_RECIPS 3.0


Regards,
Minh.
ingenetic
Posts: 42
Joined: Wed Feb 19, 2020 3:01 pm

Re: how to prevent email with ransomware in attachment ?

Postby ingenetic » Mon Aug 31, 2020 2:57 am

zimico wrote:Hi,
You can use the following rule (put it in /opt/zimbra/data/spamassasin/localrules/sauser.cfg. I learned this from Mr. Jim (JDunphy):

Code: Select all

# Protect against sproofing
header __Z_FROM_BODY From =~ /example\.com/i
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score  Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same

# Do not want to receive message when there is no my domain in To field:
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0

# Do not want to receive message from strange domain
header   __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header   __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta     Z_DOMAIN_SPAM_TLD      (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score    Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware


You can also do this:

Code: Select all

header UNDISC_RECIPS    To =~ /^undisclosed-recipients?:s*;$/
describe UNDISC_RECIPS    Valid-looking "undisclosed-recipients:;"
score UNDISC_RECIPS 2.5
header FAKED_UNDISC_RECIPS    To =~ /undisclosed[_ ]*recipient(?:s[^:]|[^s])/i
describe FAKED_UNDISC_RECIPS    Probably faked or non RFC "Undisclosed Recipients"
score FAKED_UNDISC_RECIPS 3.0


Regards,
Minh.


hi zimico,

i can't find file sauser.cfg in my zimbra /opt/zimbra/data/spamassassin/localrules/
is it create a new file with name sauser.cfg ?
if yes,
which user that have to create the file ? as root or as zimbra user ?
after i created the file,

what command that i have to run , so the sauser.cfg file is working ?
can u tell me more detail ?

Thanks n regards,
User avatar
zimico
Advanced member
Advanced member
Posts: 187
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: how to prevent email with ransomware in attachment ?

Postby zimico » Mon Aug 31, 2020 10:48 am

Hi,
The exact file location on Zimbra 8.8 is: /opt/zimbra/data/spamassassin/localrules/sauser.cf

Code: Select all

-rw-r----- 1 zimbra zimbra 14740 Aug 31 10:35 /opt/zimbra/data/spamassassin/localrules/sauser.cf

If you do not have this file you can create it.
Regards,
Minh
ingenetic
Posts: 42
Joined: Wed Feb 19, 2020 3:01 pm

Re: how to prevent email with ransomware in attachment ?

Postby ingenetic » Tue Sep 01, 2020 3:02 am

Hi, Zimico

i have some question about code below :

# Protect against sproofing
header __Z_FROM_BODY From =~ /example\.com/i <== is it using my domain ? =~ /mydomain\.net/i ?
header __Z_FROM_BODY From =~ /example\.com/i <== is it using my domain ? =~ /mydomain\.net/i ?
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i <=== =~ /\@mydomain.net/i ?
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same

# Do not want to receive message when there is no my domain in To field: <== what kind of email will reject by this code ?
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0

# Do not want to receive message from strange domain
header __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta Z_DOMAIN_SPAM_TLD (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same

# Do not want to receive message when there is no my domain in To field: <== what kind of email will reject by this code ?
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0

# Do not want to receive message from strange domain
header __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta Z_DOMAIN_SPAM_TLD (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware

and after i create the file, is there any command that i have to run ?

please advice.

Regards,
User avatar
zimico
Advanced member
Advanced member
Posts: 187
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: how to prevent email with ransomware in attachment ?

Postby zimico » Tue Sep 01, 2020 11:42 am

Hi,
Please replace example.com with your real domain.
You should test your configuration by running:
$/opt/zimbra/common/bin/spamassassin --lint
After that, restart your antispam:
$zmantispamctl restart
Regards
Minh.
ingenetic
Posts: 42
Joined: Wed Feb 19, 2020 3:01 pm

Re: how to prevent email with ransomware in attachment ?

Postby ingenetic » Wed Sep 02, 2020 2:31 am

zimico wrote:Hi,
Please replace example.com with your real domain.
You should test your configuration by running:
$/opt/zimbra/common/bin/spamassassin --lint
After that, restart your antispam:
$zmantispamctl restart
Regards
Minh.


Hi Minh,
i just putted the script in /opt/zimbra/data/spamassassin/localrules/sauser.cf


when i typed : /opt/zimbra/common/bin/spamassassin --lint

here the result :

bash: /opt/zimbra/common/bin/spamassassin: No such file or directory

or can i put this script in :

vi /opt/zimbra/data/spamassassin/localrules/salocal.cf ??

please advice


Regards,

Ign
User avatar
zimico
Advanced member
Advanced member
Posts: 187
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: how to prevent email with ransomware in attachment ?

Postby zimico » Wed Sep 02, 2020 3:19 am

Hi,
Which Zimbra version are you using?
zmcontrol -v
I am using Zimbra 8.8.15, if you are using old zimbra version, please google for the exact path.
You should put all your customization config in sauser.cf as Zimbra's suggestion.
Regards,
Minh.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 20 guests