Hello,
We are facing the following problem:
We are receiving floods of spam mail which mainly consist of excerpts
from older legitimate mail (and with identical Subject text). These
mails have been fitted with password-protected zip files (which are
virus-infected) - so that they cannot be scanned - and in the body of
the mail is included the password of these zip files.
(This mail aims unsuspected recipients, who may not scrutinize it before
opening, deceived by its apparent genuineness, and use the included
password to open the infected archive.)
Obviously someone participating in the associated correspondence was
hacked and all his/her mail was cannibalized by spammers/bots.
Because the original mail was legitimate (and the main part of the body
is a copy of it), the spam which is produced on this basis is very
difficult to be classified as spam. Spamassassin bayes training is not
sufficiently successful in these cases or it results in false positives
later on.
Can you please suggest ways in which we can configure amavis so as to
recognize and drop this kind of mail?
For example, we could configure (how??) amavis to drop mail with
attached password-protected files. Uses would be informed to exchange
such files only through file sharing channels (like google drive,
wetransfer, dropbox), by providing download links. This approach has the
disadvantage that users get used to this type of exchange and thus
become less cautious to malicious mail with seemingly legitimate
hyperlinks to files on these channels, but which in fact might lead to
infected files.
A second approach: this mail uses as a **Sender** a known (legitimate
user) name and an unknown mail address which has replaced the actual
(original, legitimate) one.
Could/Should we configure amavis with a database (e.g. a text file) with
known sender names and their legitimate mail addresses, so that we can
drop an incoming mail when a sender name uses a different mail address?
This is tricky, but it might prove very useful if used during the peak
of such kind of floods which consists of a series of mails which belong
to a particular user group (which has participated in the hacked older
conversations) and we know the real participants in the discussions well.
As an example, a hypothetical database could include:
Sender_Name Sender_Email_Addresses
------------------------------------------------------------------------------------
...
"Dr James Brown" [email protected];[email protected];[email protected]
...
In this example, if a mail reaches with a Sender: "Dr James
Brown"<[email protected]>, amavis would be configured to drop it.
Amavis would be configured to: "If the sender has a name that is
included in the db, and the associated sender mail is not one of those
associated with the particular name in the db, then quarantine as spam."
Have you faced such floods? Please advise on how to treat this situation
and provide your experiences or ideas.
I will deeply appreciate your contribution.
Cheers,
Nick
