On Thu, Mar 31, 2016 at 7:24 AM Reindl Harald <h.rei...@thelounge.net> wrote:
> > > Am 31.03.2016 um 13:16 schrieb Rodney Green: > > > > > > On Wed, Mar 30, 2016 at 3:34 PM Reindl Harald <h.rei...@thelounge.net > > <mailto:h.rei...@thelounge.net>> wrote: > > > > > > > > Am 30.03.2016 um 21:23 schrieb Rodney Green: > > > I'd like to assign a spamassassin score to received word documents > > > (doc,docx,xls,xlsx) so they are quarantined on my UTM. I've tried > the > > > following which doesn't work. Can someone show me an example that > > should > > > work? > > > > 12.5 points for ordinary attachments? > > quarantine to make email a lottery? > > > > are you aware that the above list is missing the *really* dangerous > ones > > with macros? what is the point of quarantine docx/xlsx? > > > > > https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions > > > > better reject dangerous ones than punish your users by quarantine > > harmless files > > > > Thanks. 12.5 is high. The server isn't dropping mail scored that high. > > It quarantines it. I'm just trying to help prevent any ransomware from > > hitting us. We have a small user base, so checking the quarantine and > > releasing mail isn't a big deal. > > > > I am unsure about your mention of macros. I've received doc files with > > macros that were trojan downloaders. docx has no way of running > > malicious code? > > please read the wikipedia article > > OOXML > .docx: Word document > .docm: Word macro-enabled document; same as docx, but may contain macros > and scripts > > i think that is pretty clear and says there is no point in quarantine > docx - and BTW - if you want to prevent from ransomware you need to > quarantine PDF too, reject encrypted ZIP archives or at least need > additional clamav signatures > > i doubt that quarantine will help since the last ransomware forwarded > authentic mail from a user with a encrypted ZIP and the password on top > in the style "i forgot the attachment in my last mail" and when you know > the sender, the subject looks sane without a working brain and ignore > macro warnings damage will happen > > if i would go and quarantine regular doc-files just because of the > extension my users would send me a assassin > Thank you much for the information!