[SOLVED] Need help with blocking attachment

F

felix_84

Member
Oct 22, 2017
29
6
23
39
Hello! We are being attacking by spam bots, wich sending mail from different address with different ip subnets. The subject also changes. The only thing that remains the same is attached pdf file, with we want to block.
We use content filter and try to compose regex that matching such file name МЕХГРÐ_Д.pdf, but had no luck. Does anyone figure out how to deal with such a thing?
Thanks in advance
 
You could consider adding a content filter matching all files not starting with an (ascii) letter or digit:
Code: 
[^a-zA-Z0-9].*\.pdf
and put all those files into quarantine.

Depending on your setup and environment (e.g. how many mails you receive with attachments with files named with non-ascii characters) this could be a mitigation in that situation

I hope this helps!
 
  • Like
Reactions: felix_84
Glad you found a solution! Please mark the thread as 'SOLVED' - it could help other users with a similar issue.
Thanks!
 
Just a little update. Today we discovered that we also need to accept legit mail with cyrillic attachments inside (russian and ukrainian).
We have tried to extend the expression like this
Code: 
[^a-zA-ZА-Яа-яЁёЇїІіЄєҐґ0-9].*\.pdf
and got expected perl error: "Wide character in subroutine entry at /usr/share/perl5/PMG/RuleDB/MatchFilename.pm" .
But due to prevous expression being blocked all non ascii named attachments, we got email alert with REMOVED_ATTACHMENT.txt and with
following content:
This attachment was removed: МЕХГРÐ_Д.pdf
That originaly matched filename МЕХГРÐ_Д.pdf we want to block. So we created regexp in content filtering to block filename with
Code: 
.*ÐœÐ.*
And it worked, despite of it does not evaluate the filename above.
May be there can be more elegant solution, but this one is working too.
 
You must log in or register to reply here.
Top Bottom