What Object field match not working

R

repasp

Member
Jul 21, 2021
5
0
6
37
Hello,
I have a fresh installion PMG (pmg-api/7.2-2/fe97dfd3 (running kernel: 5.15.74-1-pve))
I need to set rule for password protected XLSX files. Once an attached password protected XLSX received from external network, it shoud be moved to quarantine and the IT should be notified via email.
I have set the rule based on a header:
Code: 
Found RULE 47 (prio: 54, in, active): pw_excel
  FOUND WHAT GROUP 82: excel_with_passwd
    OBJECT 126: X-SPAM-LEVEL=KAM_OLEMACRO_ENCRYPTED
  FOUND ACTION GROUP 83: notification_pw_excel
    OBJECT 127: notify admin@mydomain.com
  FOUND ACTION GROUP 71: Quarantine
    OBJECT 111: Move to quarantine.

Mail log entry:
Code: 
Dec  9 14:47:31 pmg01 pmg-smtp-filter[886]: A02C263933C73DE4D4: SA score=2/5 time=0.054 bayes=undefined autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),AWL(-2.033),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),KAM_OLEMACRO_ENCRYPTED(3),KAM_OLEMACRO_RENAME(2.5)

This is the header part:

Code: 
X-SPAM-LEVEL: Spam detection results:  2 ALL_TRUSTED                -1
 Passed through trusted hosts only via SMTP AWL                    -2.033
 Adjusted score from AWL reputation of From: address HTML_MESSAGE           
 0.001 HTML included in message KAM_DMARC_STATUS         0.01 Test Rule for
 DKIM or SPF Failure with Strict Alignment KAM_NUMSUBJECT            0.5
 Subject ends in numbers excluding current years KAM_OLEMACRO_ENCRYPTED     
 3 Has an Office doc that is encrypted KAM_OLEMACRO_RENAME       2.5 Has an
 Office doc that has been renamed

I have tested the object:
1670594162107.png
I have sent an email with an password protected excel attachment, but the rule doesn't seem to work, no corresponding log entry shown and no action have taken.
What is the proper form of matching?
I have tried other regepx forms of the given keywork, but no luck, no notification is sent and not moved t quarantine.
Thank you for your help!
Peter
 
the SPAMINFO macro is added to the headers after the what-matches are done - you cannot match on this data in the rulesystem

currently you can increase the spamscore of the rule - with a custom score - then you can put matching mails to the spam-quarantine (which is also reachable for the end-user)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom