tagging zip file as spam but not replacing/dropping RSS

1

how can i do this? rather than outright replace/block in the attachment filter, I want to tag zip files as redirect to spambucket.

the problem here is we can have zero day virus infected whitelisted addresses that can send zips containing some undetectable cryptolocker variant.

by christopher.low 5 years ago
2

@christopher.low: Tagging the carrier email on an Attachment filtering hit is currently not possible (you can either replace the attachment with a removal notice or drop the entire email), but by installing ORF 5.2 Beta, you can quarantine these ZIP attachments and review/retrieve them later:

http://vamsoft.com/beta/

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)

3

what about a keyword filter on the raw html body of the message? what would the regex look like? or not possible?

by christopher.low 5 years ago
4

@christopher.low: The raw HTML source does not show the attachments, but using the following Keyword Blacklist regular expression with the "Email header (Raw MIME)" scope might work:

.*^Content-Type:\s(application/(zip|x(-zip)?-compressed)|multipart/x-zip);$

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)

5

thanks. giving it a go..

by christopher.low 5 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed