arcive protected spam - ORF Forums

arcive protected spam RSS Back to forum

1

My users receive strange spam emails. The letter is forged under business, something like look at the account inside, the password from the archive so-and-so, and the password is written in a picture, regular expressions did not lead to anything, since the text is completely ordinary business. In the letter there is an archive with a virus, entering the password the virus is started. How to deal with this type of spam? Archive in rar format.

by bnefedov 5 years ago
2

@bnefedov: Hello bnefedov,

As you must already know, ORF is a spam-filter and not an antivirus software, so compared to a full-fledged antivirus which is designed against malware specifically, its tools for malware prevention are extremely rudimentary. The main value of ORF in virus filtering is that spam and malware is often associated with the same IP addresses or domains, so the IP/domain reputation systems (e.g. DNSBLs) available through ORF may blacklist both activities at once.

That said, if the password of the malicious archives are displayed in the form of an embedded image (hosted on a remote server), you could use the following regex to block these infected emails (emails with inline images will not be blacklisted):

.*src="cid:[a-z0-9]{2,30}@[a-z]{2,15}

You should add it to the Keyword Blacklist, the search scope should be “Email Body + Body raw HTML source”, the Expression type should be Regular expression (Filter Expression tab).

In addition, if you have not done so already;

1) enable the DMARC, DKIM and SPF Tests (to verify the authenticity of incoming emails)

2) update your DNS Blacklist selection:
https://vamsoft.com/support/docs/knowledge-base/recommended-dnsbls-surbls-agents

3) and consider connecting ClamAV (a free antivirus agent) to ORF as an External Agent to mitigate the risk of infection. For step-by-step instructions on how to set up ClamAV as an External Agent for ORF, please consult the following guides:

http://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-1

http://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-2

I hope the above proves helpful to you, but let me know if you need further assistance.

by Daniel Novak (Vamsoft) 5 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2