On Thu, 14 Nov 2013 15:16:13 +0530 Kamaldeep Singh <kamald...@techblue.co.uk> wrote:
> Is there any rule we can write so that we can blacklist the zip/tar > files which contains "exe" file. You most likely need to do it outside of SpamAssassin. I use MIMEDefang (naturally enough... I wrote it) and if an email has a zip attachement, I run "zipinfo" to extract the names of the members of the zip file and reject anything with an EXE, COM, SCR or BAT file in the zip. Running "zipinfo -1 filename.zip" lists all the archive members, even if the zip is encrypted... luckily for us, zip file encryption only encrypts file contents, not the file names. In my experience, ClamAV has become completely useless as a practical way to stop viruses. The viruses encrypt and mutate themselves much too quickly for ClamAV to keep up. I believe many commercial virus scanners are in the same boat. So we just block executables, whether directly attached or embedded in zip files. Some statistics: On our main scanning cluster on 2013-11-13, we blocked 176,668 messages with EXE files in zip files. ClamAV only detected 4,610 viruses. Regards, David.
