On 3/31/11 6:15 PM, Giampaolo Tomassoni wrote:
Via Amavis one can even "ban" executable attachments. With few work,
one can develop a system which notifies users that such a message had
been received and blocked, along with a link to an unlock web page.
There users could see the message source, subject, attachment name,
block reason and few other data and, if they like, they can "unblock"
the message to get it. Besides, the unlock page may run an AV check on
the message when opened, to increse the chance to "catch" a virus
which wasn't known as such when received.
yep, we do that. and with clamav, you can take a sha256 or md5
signature (using clamav's sigtool), make a local.hdb file and put into
../db/clamav, reload sigs, and you don't have to wait for clamav (which
has been taking 48 hours or so to get sigs for these that change every
12 hours... :-)
so, yes, we have rules that allow zips (which clients demand), but we
look for dhl/ups and any attachments like zip,rar,exe, and have them
rate 'spam' and are quarantined. then I can open quarantine, get the
zip, make a clamv sig.. so later, if user try's to release it, we run
clamav one more time, and they see its a virus.
we are seeing about one of these per email address per day.
so, a 10,000 user system is seeing 10,000 of these a day now.
and they change at about 23:00 GMT.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network Products Guide
* King of Spam Filters, SC Magazine
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
