Hello all!
We've been using EFA for a few weeks, and while it has mostly eliminated the (massive) daily spam-dump campaigns that were hitting us, it has introduced another problem:
We are being hit hard with malicious attachments which are 'only' downloaders for the actual content. They are mostly .doc.js files embedded within a non-password-protected .zip file. EFA lets a good portion (most?) of them through at this point in time. While we can provide user notices and training, some of them have come from legitimate entities at other companies which had their email systems compromised. Users will only hold off on clicking that attachment for so long... Curiosity kills the data.
I can't find any way to adjust attachment filtering, and /mailscanner/status.php does not indicate whether an attachment was present. Training with SA Learn -> 'As Spam' is time consuming, and does not appear to be making any difference at this point in time.
Are there any suggestions?
(Malicious) Attachment Problems
-
shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: (Malicious) Attachment Problems
How about blocking .js files inside of .zip archives?
Re: (Malicious) Attachment Problems
That would be a fantastic idea, but I don't know how to go about doing that with EFA. I'll be honest and say I don't know nearly as much about this project as I ought, given it's immense flexibility!
Suggestions?
Thanks in advance!
Suggestions?
Thanks in advance!
Re: (Malicious) Attachment Problems
After further research, I found some changes to make:
This is now successfully causing the Zip attachment to be stripped from the email, and replaced with a warning. Works for me!
I'm curious why this is set to 0 in EFA by default, when the MailScanner default is 2:
https://www.mailscanner.info/MailScanne ... ve%20Depth
Code: Select all
Edit: /etc/MailScanner/MailScanner.conf
Change: Maximum Archive Depth
From: 0
To: 2
I'm curious why this is set to 0 in EFA by default, when the MailScanner default is 2:
https://www.mailscanner.info/MailScanne ... ve%20Depth
-
shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: (Malicious) Attachment Problems
Probably a hold over from the good old days of ESVA. I agree, we should default it to 2 or maybe even 3.
https://github.com/E-F-A/v3/issues/206
https://github.com/E-F-A/v3/issues/206
Re: (Malicious) Attachment Problems
*bump*
I just came across this thread while looking for a solution for denying all zip archived .js files.
So yes, changing the default would be good.
Also, is there a way to make explicitly sure that we just trash any zip encoded js files?
[edit: It seems that starts to happen once the setting is changed and mailscanner is restarted]
[edit2: fantastic! Everyone should turn this on immediately!]
I just came across this thread while looking for a solution for denying all zip archived .js files.
So yes, changing the default would be good.
Also, is there a way to make explicitly sure that we just trash any zip encoded js files?
[edit: It seems that starts to happen once the setting is changed and mailscanner is restarted]
[edit2: fantastic! Everyone should turn this on immediately!]