how to prevent email with ransomware in attachment ?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: how to prevent email with ransomware in attachment ?

Post by BradC »

ingenetic wrote: is there anyway to block email like above to incoming to my zimbra users inbox ?
Probably not unless you set up a specific rule in the spam filter. If you check the E-mail headers your address will be in the envelope address. The spammers use a forged to and from and put your address (and thousands of others) in the BCC, either sent directly or through an open relay.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: how to prevent email with ransomware in attachment ?

Post by zimico »

Hi,
You can use the following rule (put it in /opt/zimbra/data/spamassasin/localrules/sauser.cfg. I learned this from Mr. Jim (JDunphy):

Code: Select all

# Protect against sproofing
header __Z_FROM_BODY From =~ /example\.com/i
header __Z_FROM_SMTP Return-Path =~ /\@example.com/i
meta Z_SPOOFED_FROM (!__Z_FROM_SMTP && __Z_FROM_BODY)
score  Z_SPOOFED_FROM 7
describe Z_SPOOFED_FROM From and Return-Path address are not the same

# Do not want to receive message when there is no my domain in To field:
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 3.0

# Do not want to receive message from strange domain
header   __Z_DOMAIN_RCVD_TLD Received =~ /\.(ar|pk|by|za|rest|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|my|io|ae|ga|rs|dz|tr)\s+/si
header   __Z_DOMAIN_RPLTO_TLD Reply-To =~ /\.(ar|pk|by|za|online|click|science|it|ru|space|rocks|xyz|me|ec|eu|links|id|in|work|ninja|asia|mx|racing|faith|br|top|email|date|trade|bid|stream|club|loan|win|review|press|fun|mk|icu|gallery|host|cf|lt|it|ae|ga|rs|dz|tr)(?:\s|>)+/si
meta     Z_DOMAIN_SPAM_TLD      (__Z_DOMAIN_RCVD_TLD || __Z_DOMAIN_RPLTO_TLD)
score    Z_DOMAIN_SPAM_TLD 2.6
describe Z_DOMAIN_SPAM_TLD Prevalent use of .info|.links|.rocks, etc in spam/malware
You can also do this:

Code: Select all

header UNDISC_RECIPS    To =~ /^undisclosed-recipients?:s*;$/
describe UNDISC_RECIPS    Valid-looking "undisclosed-recipients:;"
score UNDISC_RECIPS 2.5
header FAKED_UNDISC_RECIPS    To =~ /undisclosed[_ ]*recipient(?:s[^:]|[^s])/i
describe FAKED_UNDISC_RECIPS    Probably faked or non RFC "Undisclosed Recipients"
score FAKED_UNDISC_RECIPS 3.0
Regards,
Minh.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: how to prevent email with ransomware in attachment ?

Post by zimico »

Hi,
The exact file location on Zimbra 8.8 is: /opt/zimbra/data/spamassassin/localrules/sauser.cf

Code: Select all

-rw-r----- 1 zimbra zimbra 14740 Aug 31 10:35 /opt/zimbra/data/spamassassin/localrules/sauser.cf
If you do not have this file you can create it.
Regards,
Minh
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: how to prevent email with ransomware in attachment ?

Post by zimico »

Hi,
Please replace example.com with your real domain.
You should test your configuration by running:
$/opt/zimbra/common/bin/spamassassin --lint
After that, restart your antispam:
$zmantispamctl restart
Regards
Minh.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: how to prevent email with ransomware in attachment ?

Post by zimico »

Hi,
Which Zimbra version are you using?
zmcontrol -v
I am using Zimbra 8.8.15, if you are using old zimbra version, please google for the exact path.
You should put all your customization config in sauser.cf as Zimbra's suggestion.
Regards,
Minh.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: how to prevent email with ransomware in attachment ?

Post by zimico »

Hi,
You can follow this wonderful wiki from Jim: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting
Jim has some script that check the message header to confirm your rules work well or not.
Regards,
Minh.
Post Reply