Probably not unless you set up a specific rule in the spam filter. If you check the E-mail headers your address will be in the envelope address. The spammers use a forged to and from and put your address (and thousands of others) in the BCC, either sent directly or through an open relay.ingenetic wrote: is there anyway to block email like above to incoming to my zimbra users inbox ?
how to prevent email with ransomware in attachment ?
Re: how to prevent email with ransomware in attachment ?
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: how to prevent email with ransomware in attachment ?
Hi,
You can use the following rule (put it in /opt/zimbra/data/spamassasin/localrules/sauser.cfg. I learned this from Mr. Jim (JDunphy):
You can also do this:
Regards,
Minh.
You can use the following rule (put it in /opt/zimbra/data/spamassasin/localrules/sauser.cfg. I learned this from Mr. Jim (JDunphy):
Code: Select all
# Protect against sproofing
header __Z_FROM_BODY From =~ /example\.com/i
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same
# Do not want to receive message when there is no my domain in To field:
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0
# Do not want to receive message from strange domain
header __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta Z_DOMAIN_SPAM_TLD (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware
Code: Select all
header UNDISC_RECIPS To =~ /^undisclosed-recipients?:s*;$/
describe UNDISC_RECIPS Valid-looking "undisclosed-recipients:;"
score UNDISC_RECIPS 2.5
header FAKED_UNDISC_RECIPS To =~ /undisclosed[_ ]*recipient(?:s[^:]|[^s])/i
describe FAKED_UNDISC_RECIPS Probably faked or non RFC "Undisclosed Recipients"
score FAKED_UNDISC_RECIPS 3.0
Minh.
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: how to prevent email with ransomware in attachment ?
Hi,
The exact file location on Zimbra 8.8 is: /opt/zimbra/data/spamassassin/localrules/sauser.cf
If you do not have this file you can create it.
Regards,
Minh
The exact file location on Zimbra 8.8 is: /opt/zimbra/data/spamassassin/localrules/sauser.cf
Code: Select all
-rw-r----- 1 zimbra zimbra 14740 Aug 31 10:35 /opt/zimbra/data/spamassassin/localrules/sauser.cf
Regards,
Minh
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: how to prevent email with ransomware in attachment ?
Hi,
Please replace example.com with your real domain.
You should test your configuration by running:
$/opt/zimbra/common/bin/spamassassin --lint
After that, restart your antispam:
$zmantispamctl restart
Regards
Minh.
Please replace example.com with your real domain.
You should test your configuration by running:
$/opt/zimbra/common/bin/spamassassin --lint
After that, restart your antispam:
$zmantispamctl restart
Regards
Minh.
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: how to prevent email with ransomware in attachment ?
Hi,
Which Zimbra version are you using?
zmcontrol -v
I am using Zimbra 8.8.15, if you are using old zimbra version, please google for the exact path.
You should put all your customization config in sauser.cf as Zimbra's suggestion.
Regards,
Minh.
Which Zimbra version are you using?
zmcontrol -v
I am using Zimbra 8.8.15, if you are using old zimbra version, please google for the exact path.
You should put all your customization config in sauser.cf as Zimbra's suggestion.
Regards,
Minh.
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: how to prevent email with ransomware in attachment ?
Hi,
You can follow this wonderful wiki from Jim: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting
Jim has some script that check the message header to confirm your rules work well or not.
Regards,
Minh.
You can follow this wonderful wiki from Jim: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting
Jim has some script that check the message header to confirm your rules work well or not.
Regards,
Minh.