arcive protected spam - ORF Forums

@bnefedov: Hello bnefedov,

As you must already know, ORF is a spam-filter and not an antivirus software, so compared to a full-fledged antivirus which is designed against malware specifically, its tools for malware prevention are extremely rudimentary. The main value of ORF in virus filtering is that spam and malware is often associated with the same IP addresses or domains, so the IP/domain reputation systems (e.g. DNSBLs) available through ORF may blacklist both activities at once.

That said, if the password of the malicious archives are displayed in the form of an embedded image (hosted on a remote server), you could use the following regex to block these infected emails (emails with inline images will not be blacklisted):

.*src="cid:[a-z0-9]{2,30}@[a-z]{2,15}

You should add it to the Keyword Blacklist, the search scope should be “Email Body + Body raw HTML source”, the Expression type should be Regular expression (Filter Expression tab).

In addition, if you have not done so already;

1) enable the DMARC, DKIM and SPF Tests (to verify the authenticity of incoming emails)

2) update your DNS Blacklist selection:
https://vamsoft.com/support/docs/knowledge-base/recommended-dnsbls-surbls-agents

3) and consider connecting ClamAV (a free antivirus agent) to ORF as an External Agent to mitigate the risk of infection. For step-by-step instructions on how to set up ClamAV as an External Agent for ORF, please consult the following guides:

http://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-1

http://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-2

I hope the above proves helpful to you, but let me know if you need further assistance.