Koozali.org: home of the SME Server

Block spear phishing using spoofed email addresses

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #30 on: October 30, 2020, 03:12:09 PM »
Just a heads-up for anyone trying FromNameSpoof, a patch is needed for SA 3.4.2:

"Not a HASH reference at /usr/share/perl/5.24.1/Mail/SpamAssassin/Plugin/FromNameSpoof.pm line 319"  just popped up in spamd log. So:

cd /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin
cp -p FromNameSpoof.pm FromNameSpoof.pm~orig
wget -O FromNameSpoof.pm "https://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/FromNameSpoof.pm?revision=1842029&view=co&pathrev=1842029"

https://forum.directadmin.com/threads/not-a-hash-reference-at-fromnamespoof-pm-line-319.57128/
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7624

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #31 on: October 30, 2020, 03:47:56 PM »
They just went to another level: virused .doc files are zipped and pwd protected, pwd in mail body.

config setprop clamav ArchiveBlockEncrypted yes
expand-template /etc/clamd.conf
sv t clamd

clamd log:   Archive: Blocking encrypted archives.

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #32 on: October 30, 2020, 11:34:21 PM »
This will block .doc, .xls (but not .docx, .xlsx) containing ANY macros (including benevolent ones):

create /etc/e-smith/templates-custom/etc/clamd.conf/OLE2BlockMacros containing:
OLE2BlockMacros yes

then run:
expand-template /etc/clamd.conf
sv t clamd

Clamd log should show: OLE2: Blocking all VBA macros. and Heuristics.OLE2.ContainsMacros FOUND