Hello,
some of mailservers I admin are behind fortinet device that does content
inspection and removes viruses by replacing them with content:
------=_NextPart_000_0012_F7463AA1.9316ADCB
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Length: 221
Connection: Close
Dangerous attachment removed. The file "ORDER_00812387.xlsx" was infected with the
"MSExcel/CVE_2017_11882!exploit" virus. It has been removed and quarantined as:
"[disabled]"."http://www.fortinet.com/ve?vid=10022639".
------=_NextPart_000_0012_F7463AA1.9316ADCB--
I created rule that should catch this content and award it:
body FORTI_ATT_REMOVED /^Dangerous attachment removed\. The file \"\S{0,255}\" was infected with
the \"\S{0,63}\" virus\. It has been removed and quarantined as:
\"\S{0,31}\"."http:\/\/www\.fortinet\.com\//
describe FORTI_ATT_REMOVED Dangerous attachment removed by Fortinet
score FORTI_ATT_REMOVED 5
So far, all files I found are of small size (<100K), but can (and should) I
somehow restrict search for this content only as beginning of attachments?
Is there anything I should do better?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete