Blocking cannibalized spam/virus mail with password-protected attachments

[Dominic Raferd]

On 22/12/2020 08:39, Nikolaos Milas wrote:
> On 22/12/2020 10:24 π.μ., Nikolaos Milas wrote:
>
>> Can you please suggest ways in which we can configure amavis so as to 
>> recognize and drop this kind of mail?
>
> Another, probably better, approach would be to add to amavis a scan 
> rule like:
>
> If body contains text like:
>
>    Password archivio: XXXX
>    -or-
>    Archive pass: XXXX
>
>    [where XXXX is a 3- or 4-digit number]
>
> ...followed by any number of spaces and/or end-of-line characters and 
> then by the exact Sender name, then send to quarantine.
>
> That, because all such mails include in the body the following 
> (injected) text:
>
>    Password archivio: 851
>
>
>    The_exact_Sender_name
>    The_original_sender_email (i.e. not the changed one)
>
> Can someone please compose such a rule and guide me how to add it to 
> amavis?


If you are using a reasonably modern version of ClamAV then just turn on 
one or more these options in clamd.conf to enable identification (see 
man clamd.conf):

AlertEncrypted yes
AlertEncryptedArchive yes
AlertEncryptedDoc yes

and reload ClamAV. The normal amavis settings will then treat any emails 
that are flagged as virus-laden. What happens in that case depends on 
your other amavis settings, especially $virus_quarantine_method.