Blocking cannibalized spam/virus mail with password-protected attachments

Nikolaos Milas nmilas at noa.gr
Tue Dec 22 09:24:28 CET 2020 

Hello,

We are facing the following problem:

We are receiving floods of spam mail which mainly consist of excerpts 
from older legitimate mail (and with identical Subject text). These 
mails have been fitted with password-protected zip files (which are 
virus-infected) - so that they cannot be scanned - and in the body of 
the mail is included the password of these zip files.

(This mail aims unsuspected recipients, who may not scrutinize it before 
opening, deceived by its apparent genuineness, and use the included 
password to open the infected archive.)

Obviously someone participating in the associated correspondence was 
hacked and all his/her mail was cannibalized by spammers/bots.

Because the original mail was legitimate (and the main part of the body 
is a copy of it), the spam which is produced on this basis is very 
difficult to be classified as spam. Spamassassin bayes training is not 
sufficiently successful in these cases or it results in false positives 
later on.

Can you please suggest ways in which we can configure amavis so as to 
recognize and drop this kind of mail?

For example, we could configure (how??) amavis to drop mail with 
attached password-protected files. Uses would be informed to exchange 
such files only through file sharing channels (like google drive, 
wetransfer, dropbox), by providing download links. This approach has the 
disadvantage that users get used to this type of exchange and thus 
become less cautious to malicious mail with seemingly legitimate 
hyperlinks to files on these channels, but which in fact might lead to 
infected files.

A second approach: this mail uses as a **Sender** a known (legitimate 
user) name and an unknown mail address which has replaced the actual 
(original, legitimate) one.

Could/Should we configure amavis with a database (e.g. a text file) with 
known sender names and their legitimate mail addresses, so that we can 
drop an incoming mail when a sender name uses a different mail address?

This is tricky, but it might prove very useful if used during the peak 
of such kind of floods which consists of a series of mails which belong 
to a particular user group (which has participated in the hacked older 
conversations) and we know the real participants in the discussions well.

As an example, a hypothetical database could include:

Sender_Name Sender_Email_Addresses
------------------------------------------------------------------------------------
...
"Dr James Brown" jbrown at example.com;drjbrown at example.net;brown at example.org
...

In this example, if a mail reaches with a Sender: "Dr James 
Brown"<fxsrig at evil.example.xx>, amavis would be configured to drop it.

Amavis would be configured to: "If the sender has a name that is 
included in the db, and the associated sender mail is not one of those 
associated with the particular name in the db, then quarantine as spam."

Have you faced such floods? Please advise on how to treat this situation 
and provide your experiences or ideas.

I will deeply appreciate your contribution.

Cheers,
Nick

More information about the amavis-users mailing list