On 22/12/2020 08:39, Nikolaos Milas wrote:
On 22/12/2020 10:24 π.μ., Nikolaos Milas wrote:
Can you please suggest ways in which we can configure amavis so as to
recognize and drop this kind of mail?
Another, probably better, approach would be to add to amavis a scan
rule like:
If body contains text like:
Password archivio: XXXX
-or-
Archive pass: XXXX
[where XXXX is a 3- or 4-digit number]
...followed by any number of spaces and/or end-of-line characters and
then by the exact Sender name, then send to quarantine.
That, because all such mails include in the body the following
(injected) text:
Password archivio: 851
The_exact_Sender_name
The_original_sender_email (i.e. not the changed one)
Can someone please compose such a rule and guide me how to add it to
amavis?
If you are using a reasonably modern version of ClamAV then just turn on
one or more these options in clamd.conf to enable identification (see
man clamd.conf):
AlertEncrypted yes
AlertEncryptedArchive yes
AlertEncryptedDoc yes
and reload ClamAV. The normal amavis settings will then treat any emails
that are flagged as virus-laden. What happens in that case depends on
your other amavis settings, especially $virus_quarantine_method.
