The Mails with docs attached are getting rejected successfully. I m
getting a lot of these mails from a botnet now, each mail with a
different generated mail suffix, but always with our top level domain. I
hope that we dont get problems that the spammers are using our main
domain for spreading their spam :-/
Thomas B
Am 01.02.2016 um 15:09 schrieb Reindl Harald:
Am 01.02.2016 um 15:05 schrieb Thomas Barth:
No viruses were found.
Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
Content type: Banned
Not quarantined.
The message WAS NOT relayed to:
xxx
554 5.7.0 Reject, id=09201-09 - BANNED:
.exe,.exe-ms,23676883772984656662(1).doc.exe
This message is a test result of ClamAV? I would like to add .doc as
banned name
sounds like amavis and as already suggested: reject it at smtpd level
mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf
[root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf
# Reject Attachment Extensions
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
\s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x
REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"
Am 01.02.2016 um 13:50 schrieb Reindl Harald:
Am 01.02.2016 um 13:48 schrieb Thomas Barth:
for a week or so I get a lot of mails with bills as doc-documents and
Spamassassin is actually not able to mark it as spam
it is able
combined BAYES scores and other rules on a proper trained SA leads to
99.9% milter-reject rate of these malware mails here
