Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - zipped excel spam
  FAQ FAQ  Forum Search   Register Register  Login Login

zipped excel spam

 Post Reply Post Reply
Author
ImInAfrica View Drop Down
Groupie
Groupie
Avatar

Joined: 27 June 2006
Location: FL, USA
Status: Offline
Points: 60
Post Options Post Options   Thanks (0) Thanks(0)   Quote ImInAfrica Quote  Post ReplyReply Direct Link To This Post Topic: zipped excel spam
    Posted: 29 July 2007 at 11:18am

Hi,
Anyone else getting excel spreadsheets inside a zip file, which is stock spam?

BIG red letters:

Turn $10,000 into $40,000
INVEST IN EXCHANGE MOBILE (OTC: EXMT)


 

Back to Top
Thermo View Drop Down
Newbie
Newbie


Joined: 10 July 2006
Location: Canada
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote Thermo Quote  Post ReplyReply Direct Link To This Post Posted: 29 July 2007 at 8:14pm
I am seeing these, email body is blank as well. This update is in the latest version, maybe it could be made to handle other attachment types with blank email bodies? We could specify the attachment types or use a wildcard for any type.

Thermo


{TODO -cNew : SpamFilter will now block emails that contain an empty, blank body and also a PDF attachment, the new setting in the .ini file is on by default: BlockBlankEmailsWithPDFAttachments=true}
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 29 July 2007 at 11:17pm
We're beta testing a new build which is doing exactly what Thermo suggested. If testing goes well, we'll be releasing it publicly within a few days. Please contact us by email if you wish to test it (licensed users only). Please also include your order number in the email.

The change replaces the option in the SpamFilter.ini file introduced with build 700 (BlockBlankEmailsWithPDFAttachments) with the following:

;SpamFilter can block emails that contain only an empty, blank body and one of the following attachment. Clear the list if you don't want to stop such emails. Specify multiple attachments separated by commas
BlockBlankEmailsWithAttachments=*.pdf

Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Stupid View Drop Down
Senior Member
Senior Member


Joined: 28 November 2005
Status: Offline
Points: 127
Post Options Post Options   Thanks (0) Thanks(0)   Quote Stupid Quote  Post ReplyReply Direct Link To This Post Posted: 30 July 2007 at 10:50am
Why not just block *.zip? I block all emails with any executable or audio/video or compressed file.

You may not want to go to this extreme, but blocking zip file is a good practice.
Back to Top
mbrusl View Drop Down
Groupie
Groupie
Avatar

Joined: 05 December 2005
Location: Thunder Bay Ont
Status: Offline
Points: 61
Post Options Post Options   Thanks (0) Thanks(0)   Quote mbrusl Quote  Post ReplyReply Direct Link To This Post Posted: 30 July 2007 at 12:01pm
Originally posted by Stupid Stupid wrote:

Why not just block *.zip? I block all emails with any executable or audio/video or compressed file.

You may not want to go to this extreme, but blocking zip file is a good practice.


What happens when you need to receive a zip file or some other format from someone and your blocking it?  Thats why I quarantine them instead.  But then again, I also scan all emails as it enters the gateway.

Michael
Back to Top
Stupid View Drop Down
Senior Member
Senior Member


Joined: 28 November 2005
Status: Offline
Points: 127
Post Options Post Options   Thanks (0) Thanks(0)   Quote Stupid Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2007 at 12:46pm
Don't think we can quarantine attachment based on file type.

Quarantine all executable files is of great risk to me. I actually another 2 lays to catch any executables that may slip through.

If someone wants to send me zip file, I just tell them to rename it to zzz instead of zip.

I really depends. I am running a company, not an ISP which may have very different need on how to satisfy customers and cannot be so restrictive.

For example, Yahoo does not filter our all executables, if I get infected, that would be my problem. However, if my user get infected, that would be my problem because I am not an ISP.

Originally posted by mbrusl mbrusl wrote:

Originally posted by Stupid Stupid wrote:

Why not just block *.zip? I block all emails with any executable or audio/video or compressed file.

You may not want to go to this extreme, but blocking zip file is a good practice.


What happens when you need to receive a zip file or some other format from someone and your blocking it?  Thats why I quarantine them instead.  But then again, I also scan all emails as it enters the gateway.

Michael
Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2007 at 1:12pm
I don't think I understand why you have added additional layers in order to block executables.  SpamFilter is capable blocking any pattern of attachments.

I too manage email for an organization, not an entire ISP, so my attachment policy can afford to be more safe and restrictive.  If it's handy, here are all the attachments that I block using SpamFilter:

*.ade
*.adp
*.bas
*.bat
*.chm
*.cmd
*.com
*.cpl
*.crt
*.exe
*.hlp
*.hqx
*.hta
*.inf
*.ins
*.isp
*.js
*.jse
*.lnk
*.mde
*.msc
*.msi
*.msp
*.mst
*.pcd
*.pif
*.reg
*.scr
*.sct
*.shs
*.url
*.uue
*.vb
*.vbe
*.vbs
*.wsc
*.wsf
*.wsh
*.zip

-Stephen
Back to Top
Stupid View Drop Down
Senior Member
Senior Member


Joined: 28 November 2005
Status: Offline
Points: 127
Post Options Post Options   Thanks (0) Thanks(0)   Quote Stupid Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2007 at 2:11pm
Because in some rare cases, SPI lets some attachments through.

Try this:

http://www.gfi.com/emailsecuritytest/

Disclaimer: I don't work for GFI or sell their products. I am just a user who likes their products.


Edited by Stupid
Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2007 at 2:22pm
Thanks, that looks like a very handy tool, I will test that out.  I usually test for eicar in a few formats, but haven't encountered a tool with such a variety of tests.  Nice 

Stephen
Back to Top
Stupid View Drop Down
Senior Member
Senior Member


Joined: 28 November 2005
Status: Offline
Points: 127
Post Options Post Options   Thanks (0) Thanks(0)   Quote Stupid Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2007 at 3:04pm
If you save a msg with an attachment, then attach that msg as an attachment, it will go through.

Originally posted by sgeorge sgeorge wrote:

Thanks, that looks like a very handy tool, I will test that out.  I usually test for eicar in a few formats, but haven't encountered a tool with such a variety of tests.  Nice 

Stephen
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.141 seconds.