external agent test for https/http links to viral payloads downloads for whitelisted senders. RSS

1

is there one? eg: if you decided to whitelist a gmail address, yet somehow a spambot sending a virus payload in the form of a https link to eg (sugarsync, googledrive etc), there isn't a keyword blacklist it will check as an exception, so it goes through.

so the only way it will work is a external agent in antivirus role exception?

by christopher.low 4 years ago
2

@christopher.low: You are correct, you would need an External Agent for that. Agents can be written in just about any language, including PowerShell. I have contributed a PowerShell function to a recent topic here that can load and parse an email: http://pastebin.com/G5KA12nJ -- if you are familiar with PowerShell, the rest should be easy.

Another way would be to use ClamAV. If you check out the third-party anti-phishing signatures from SaneSecurity, they appear to be quite simple, so I think you can write your own signatures without a lot of investment learning the format.

by Péter Karsai (Vamsoft) 4 years ago
(in reply to this post)

3

ok I've set up clamav and now researching on how to block http urls by setting up custom signatures.

but frankly, I think this is something you should build into ORF

eg: a seperate keyword blacklist exception list (ie: whitelisted emails still run through this seperate keyword blacklist)

main thing here is just like attachment filtering exception, now virus/spam/cryptolocker are all moving towards download lockers. so I rather a feature to block all download locker type emails (ie: block googledrive/sugarsync/hightail/dropbox etc) and move it to a seperate spambucket for manual inspection.

by christopher.low 4 years ago
4

@christopher.low: Unfortunately, there is an inherent design conflict between spam filtering and malware filtering, as demonstrated by this whitelist issue and its mitigations in ORF (specifically, Whitelist Test Exceptions). The declared focus in ORF is on spam, so even though it offers a few rudimentary tools that may catch malware as a collateral, the malware problem is still best dealt with by using a dedicated anti-virus solution that covers the entire network.

by Péter Karsai (Vamsoft) 4 years ago
(in reply to this post)

5

true, but in this case, my antivirus (sophos) has already prevented the payload but the viral spam mail is still received. (in this instance, it passes SPF, and is a whitelisted email address (ie: auto sender whitelist).

by christopher.low 4 years ago
6

@christopher.low: Exactly my point, if they can already detect a threat specifically because they have the tool built for the purpose, maybe they should extend that to emails as another known attack medium.

by Péter Karsai (Vamsoft) 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed