[SOLVED] Need help with blocking attachment

[felix_84]

Hello! We are being attacking by spam bots, wich sending mail from different address with different ip subnets. The subject also changes. The only thing that remains the same is attached pdf file, with we want to block.
We use content filter and try to compose regex that matching such file name МЕХГРÐ_Д.pdf, but had no luck. Does anyone figure out how to deal with such a thing?
Thanks in advance

 

[Stoiko Ivanov]

You could consider adding a content filter matching all files not starting with an (ascii) letter or digit:

[^a-zA-Z0-9].*\.pdf

and put all those files into quarantine.

Depending on your setup and environment (e.g. how many mails you receive with attachments with files named with non-ascii characters) this could be a mitigation in that situation

I hope this helps!

 

[felix_84]

Thank you very much! Problem solved

 

[Stoiko Ivanov]

Glad you found a solution! Please mark the thread as 'SOLVED' - it could help other users with a similar issue.
Thanks!

 

[felix_84]

Just a little update. Today we discovered that we also need to accept legit mail with cyrillic attachments inside (russian and ukrainian).
We have tried to extend the expression like this

[^a-zA-ZА-Яа-яЁёЇїІіЄєҐґ0-9].*\.pdf

and got expected perl error: "Wide character in subroutine entry at /usr/share/perl5/PMG/RuleDB/MatchFilename.pm" .
But due to prevous expression being blocked all non ascii named attachments, we got email alert with REMOVED_ATTACHMENT.txt and with
following content:
This attachment was removed: МЕХГРÐ_Д.pdf
That originaly matched filename МЕХГРÐ_Д.pdf we want to block. So we created regexp in content filtering to block filename with

.*ÐœÐ.*

And it worked, despite of it does not evaluate the filename above.
May be there can be more elegant solution, but this one is working too.