1 Topic by Kris01

  • Kris01
  • Kris01
  • Member
  • Offline
  • From: Belgium
  • Registered: 2016-01-03
  • Posts: 43

Topic: Ransomware notificaion or warning

Hello,

I recieve a lot spam mails with ransomware attachments.

I know it's very hard to filter the bad ones out.

But can i add a warning message to the email (the ones that passes thrugh) ?

example:
Notification that says: Warning attachments are potential infected by ransomware. (or something like that)

It's just something that i can do for my email clients.

If somebody has a better idea, just let me know.

kind regards,

Kris

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Ransomware notificaion or warning

No idea to do this with emails which have attachments.

3 Reply by Kris01

  • Kris01
  • Kris01
  • Member
  • Offline
  • From: Belgium
  • Registered: 2016-01-03
  • Posts: 43

Re: Ransomware notificaion or warning

Create validation rule,

If Email has attachment add remark to subject or content ?

i don't know what is possible at iredmail.

4 Reply by pr

  • pr
  • Member
  • Offline
  • Registered: 2016-08-19
  • Posts: 2

Re: Ransomware notificaion or warning

Hi Kris

I don't know your situation (specially not legaly) but I'd try to block and ban executable attachments and use additional signatures for clamav.

To ban some executable files (by extension) edit your amavis configuration (in debian&ubuntu /etc/amavis/conf.d/50-user). If not yet present add $banned_filename_re, like this:

$banned_filename_re = new_RE(

## block banned file(1) types, rudimentary
qr'^\.(exe-ms|dll)$',
qr'^\.(exe|lha|cab|dll)$',
qr'.\.(pif|scr)$'i,

# block these MIME types
qr'^application/x-msdownload$'i,
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,

# block certain double extensions in filenames
qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,

# banned ext - long
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
wmf|wsc|wsf|wsh|bin|drv|ocx|ovl|ani|cur|ico|
ps1|psd1|psm1|ps1xml|clixml|psc1|pssc|
jar|lib|sys|vxd)$'ix,

# banned extension - WinZip vulnerab.
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,

);

That will take care of exe files, screensavers, javascript, vbsciprt and wscript and a lot of other files you don't really want arriving in you users mailboxes. If not already set you can then specify

$final_banned_destiny     = D_DISCARD;

which will discard the mails. And if you want to receive a copy to some admin mailadress, you can also define

$banned_quarantine_to = 'your admin mailadress here';

To handle other attachment types, like office (word, excel) documents, use the sanesecurity signatures. In most cases these signatures will recognize rouge malware within a couple of hours of the apearing.
The easiest way to set up these and some other signatures is to use clamav-unofficial-sigs which you can find at github:
https://github.com/extremeshok/clamav-unofficial-sigs
Once you've got eXtremeSHOK's script up and running it will keep your signatures updated and clamav (which is already being used by amavis) will scan your incomming and outgoing mail with the aditional signatures.

Hope this helps you some
Regards
Philip

5 Reply by Trevour

  • Trevour
  • Member
  • Offline
  • Registered: 2016-10-31
  • Posts: 1

Re: Ransomware notificaion or warning

Absolutely agree with ransomware avoidance rules, however if you've already infected I would reccomend this source against ransomware http://myspybot.com/thor-virus-files/ because of rich database and recent updates of removals.