tagging zip file as spam but not replacing/dropping - ORF Forums

tagging zip file as spam but not replacing/dropping RSS Back to forum

1

how can i do this? rather than outright replace/block in the attachment filter, I want to tag zip files as redirect to spambucket.

the problem here is we can have zero day virus infected whitelisted addresses that can send zips containing some undetectable cryptolocker variant.

Reply
by christopher.low more than 10 years ago
2

@christopher.low: Tagging the carrier email on an Attachment filtering hit is currently not possible (you can either replace the attachment with a removal notice or drop the entire email), but by installing ORF 5.2 Beta, you can quarantine these ZIP attachments and review/retrieve them later:

http://vamsoft.com/beta/

Reply
by Krisztián Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

3

what about a keyword filter on the raw html body of the message? what would the regex look like? or not possible?

Reply
by christopher.low more than 10 years ago
4

@christopher.low: The raw HTML source does not show the attachments, but using the following Keyword Blacklist regular expression with the "Email header (Raw MIME)" scope might work:

.*^Content-Type:\s(application/(zip|x(-zip)?-compressed)|multipart/x-zip);$

Reply
by Krisztián Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

5

thanks. giving it a go..

Reply
by christopher.low more than 10 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2