Re: SA cannot block messages with attached zip

Mon, 23 May 2016 06:52:11 -0700
and BTW a mail from a machine listed at "pbl.spamhaus.org" (https://www.spamhaus.org/pbl/) should not make it to your content filters at all - so it appears that most people in this thread which face a high number of this problems don't setup their MTA proper 

no way that the sample mail makes it to smtpd at all normally

Am 23.05.2016 um 15:28 schrieb Reindl Harald:

Am 23.05.2016 um 15:24 schrieb Emin Akbulut:

AVG or ClamAV or any other antivirus couldn't delete all these attached
viruses; VirusTotal says.

My mail server checks blacklists & SURBL servers.
Anyway we might receive mails from unlisted IPs like zombie PCs.

In the message with Zip attachment includes javascipt files contains no
url in the body, so SURBL check is useless.
The Spamassassin score of these messages may vary, from 0.8 to 2.6.

Here is one of the latest message: http://pastebin.com/94njV9fF


easy to catch as already explained

/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml:
Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml:
Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND
/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml:
Sanesecurity.Foxhole.Zip_fs225.UNOFFICIAL FOUND
/var/www/uploadtemp/ff2053b4d12c6d31a32ece9eb5a442b005db2da3.eml:
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND

----------- VIRUS-SCAN SUMMARY -----------
Infected files: 1
Time: 0.006 sec (0 m 0 s)

Content analysis details:   (33.5 points, 5.5 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.0 CUST_DNSBL_27_UCE2     RBL: dnsbl-uce-2.thelounge.net
                            (dnsbl-2.uceprotect.net)
                            [27.67.28.43 listed in
dnsbl-uce-2.thelounge.net]
 2.5 CUST_DNSBL_16_PSBL     RBL: dnsbl-surriel.thelounge.net
                            (psbl.surriel.com)
                           [27.67.28.43 listed in
dnsbl-surriel.thelounge.net]
 2.5 CUST_DNSBL_12_SPAMCOP  RBL: bl.spamcop.net
                            [27.67.28.43 listed in bl.spamcop.net]
 1.0 CUST_DNSBL_26_NSZONES  RBL: bl.nszones.com
                            [27.67.28.43 listed in bl.nszones.com]
 6.5 CUST_DNSBL_4_ZEN_PBL   RBL: zen.spamhaus.org (pbl.spamhaus.org)
                            [27.67.28.43 listed in zen.spamhaus.org]
 5.5 CUST_DNSBL_6_ZEN_XBL   RBL: zen.spamhaus.org (xbl.spamhaus.org)
 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com
                            (senderscore.com Medium)
                            [27.67.28.43 listed in score.senderscore.com]
 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com
                         [27.67.28.43 listed in
hostkarma.junkemailfilter.com]
 5.0 CUST_DNSBL_7_CUDA      RBL: b.barracudacentral.org
                            [27.67.28.43 listed in b.barracudacentral.org]
 1.5 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.5086]
 2.5 RDNS_NONE              Delivered to internal network by a host with
no rDNS
 0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
 0.5 RCVD_IN_MSPIKE_ZBI     No description available.
 0.5 HELO_MISC_IP           Looking for more Dynamic IP Relays





Attachment:
signature.asc

Description: OpenPGP digital signature
























					Reply via email to