Hi matus,
I use upstream filtering all the time to add points with SA but I
typically due it with headers. Does Fortinet add any headers?
Especially depending on the size of emails, the attachment parsing
plugins like OCR you might have, etc. your rule could get pretty heavy
in terms of parsing.
However, since this is a rule giving points, no bad actor is going to
simulate it. You might just do a meta rule of some smaller key points:
body /dangerous attachment removed/i
uri /fortinet\.com\/ve\?vid=\d+/
Of course, this rule will hit on this email on your system which is why
a header is best :-)
Regards,
KAM
On 9/26/2022 12:20 PM, Matus UHLAR - fantomas wrote:
Hello,
some of mailservers I admin are behind fortinet device that does
content inspection and removes viruses by replacing them with content:
------=_NextPart_000_0012_F7463AA1.9316ADCB
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Length: 221
Connection: Close
Dangerous attachment removed. The file "ORDER_00812387.xlsx" was
infected with the "MSExcel/CVE_2017_11882!exploit" virus. It has been
removed and quarantined as:
"[disabled]"."http://www.fortinet.com/ve?vid=10022639".
------=_NextPart_000_0012_F7463AA1.9316ADCB--
I created rule that should catch this content and award it:
body FORTI_ATT_REMOVED /^Dangerous attachment removed\. The file
\"\S{0,255}\" was infected with the \"\S{0,63}\" virus\. It has been
removed and quarantined as: \"\S{0,31}\"."http:\/\/www\.fortinet\.com\//
describe FORTI_ATT_REMOVED Dangerous attachment removed by Fortinet
score FORTI_ATT_REMOVED 5
So far, all files I found are of small size (<100K), but can (and
should) I somehow restrict search for this content only as beginning
of attachments?
Is there anything I should do better?
--
Kevin A. McGrail
kmcgr...@apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171