Am 31.03.2016 um 13:16 schrieb Rodney Green:
On Wed, Mar 30, 2016 at 3:34 PM Reindl Harald <h.rei...@thelounge.net <mailto:h.rei...@thelounge.net>> wrote: Am 30.03.2016 um 21:23 schrieb Rodney Green: > I'd like to assign a spamassassin score to received word documents > (doc,docx,xls,xlsx) so they are quarantined on my UTM. I've tried the > following which doesn't work. Can someone show me an example that should > work? 12.5 points for ordinary attachments? quarantine to make email a lottery? are you aware that the above list is missing the *really* dangerous ones with macros? what is the point of quarantine docx/xlsx? https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions better reject dangerous ones than punish your users by quarantine harmless files Thanks. 12.5 is high. The server isn't dropping mail scored that high. It quarantines it. I'm just trying to help prevent any ransomware from hitting us. We have a small user base, so checking the quarantine and releasing mail isn't a big deal. I am unsure about your mention of macros. I've received doc files with macros that were trojan downloaders. docx has no way of running malicious code?
please read the wikipedia article OOXML .docx: Word document.docm: Word macro-enabled document; same as docx, but may contain macros and scripts
i think that is pretty clear and says there is no point in quarantine docx - and BTW - if you want to prevent from ransomware you need to quarantine PDF too, reject encrypted ZIP archives or at least need additional clamav signatures
i doubt that quarantine will help since the last ransomware forwarded authentic mail from a user with a encrypted ZIP and the password on top in the style "i forgot the attachment in my last mail" and when you know the sender, the subject looks sane without a working brain and ignore macro warnings damage will happen
if i would go and quarantine regular doc-files just because of the extension my users would send me a assassin
signature.asc
Description: OpenPGP digital signature
