>From: Dianne Skoll <d...@roaringpenguin.com> >Sent: Friday, May 20, 2016 6:07 AM >To: users@spamassassin.apache.org >Subject: Re: SA cannot block messages with attached zip
>On Fri, 20 May 2016 09:31:48 +0300 >Emin Akbulut <eminakbu...@gmail.com> wrote: >> What do you suggest to fight these spams? >ClamAV is basically useless. ClamAV helps a little with the unofficial sigatures. http://sanesecurity.com/usage/signatures/ >We do it the hard way. We list the contents of attached archives >(using "lsar") and have filename-extension rules that block .js >inside .zip files. While this can lead to some FPs, which we handle >with selective whitelisting, it's very effective at catching the >latest crop of cryptolocker-style attacks. >Sorry for the non-easy answer. Doing it properly requires a non-trivial >amount of coding. MailScanner can do this. https://efa-project.org/ The best thing to do is block as much as you can at the MTA level with Postscreen and RBL weights like Reindl posted, greylisting, SMTP helo checks, etc. http://multirbl.valli.org/lookup/213.252.170.66.html The invaluement RBL subscription is not that expensive and will pay for itself pretty quickly. This and Spamhaus together block a lot of bad stuff at the MTA level long before SA has to see it and I have never had to deal with a false positive on these in years.
