Page 1 of 1
Re: how to prevent email with ransomware in attachment ?
Posted: Thu May 14, 2020 6:07 am
by BradC
ingenetic wrote:
is there anyway to block email like above to incoming to my zimbra users inbox ?
Probably not unless you set up a specific rule in the spam filter. If you check the E-mail headers your address will be in the envelope address. The spammers use a forged to and from and put your address (and thousands of others) in the BCC, either sent directly or through an open relay.
Re: how to prevent email with ransomware in attachment ?
Posted: Sat Aug 29, 2020 3:36 pm
by zimico
Hi,
You can use the following rule (put it in /opt/zimbra/data/spamassasin/localrules/sauser.cfg. I learned this from Mr. Jim (JDunphy):
Code: Select all
# Protect against sproofing
header __Z_FROM_BODY From =~ /example\.com/i
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same
# Do not want to receive message when there is no my domain in To field:
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0
# Do not want to receive message from strange domain
header __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta Z_DOMAIN_SPAM_TLD (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware
You can also do this:
Code: Select all
header UNDISC_RECIPS To =~ /^undisclosed-recipients?:s*;$/
describe UNDISC_RECIPS Valid-looking "undisclosed-recipients:;"
score UNDISC_RECIPS 2.5
header FAKED_UNDISC_RECIPS To =~ /undisclosed[_ ]*recipient(?:s[^:]|[^s])/i
describe FAKED_UNDISC_RECIPS Probably faked or non RFC "Undisclosed Recipients"
score FAKED_UNDISC_RECIPS 3.0
Regards,
Minh.
Re: how to prevent email with ransomware in attachment ?
Posted: Mon Aug 31, 2020 10:48 am
by zimico
Hi,
The exact file location on Zimbra 8.8 is: /opt/zimbra/data/spamassassin/localrules/sauser.cf
Code: Select all
-rw-r----- 1 zimbra zimbra 14740 Aug 31 10:35 /opt/zimbra/data/spamassassin/localrules/sauser.cf
If you do not have this file you can create it.
Regards,
Minh
Re: how to prevent email with ransomware in attachment ?
Posted: Tue Sep 01, 2020 11:42 am
by zimico
Hi,
Please replace example.com with your real domain.
You should test your configuration by running:
$/opt/zimbra/common/bin/spamassassin --lint
After that, restart your antispam:
$zmantispamctl restart
Regards
Minh.
Re: how to prevent email with ransomware in attachment ?
Posted: Wed Sep 02, 2020 3:19 am
by zimico
Hi,
Which Zimbra version are you using?
zmcontrol -v
I am using Zimbra 8.8.15, if you are using old zimbra version, please google for the exact path.
You should put all your customization config in sauser.cf as Zimbra's suggestion.
Regards,
Minh.
Re: how to prevent email with ransomware in attachment ?
Posted: Wed Sep 02, 2020 5:05 am
by zimico
Hi,
You can follow this wonderful wiki from Jim:
https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting
Jim has some script that check the message header to confirm your rules work well or not.
Regards,
Minh.