Print Page | Close Window

zipped excel spam

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6166
Printed Date: 12 March 2025 at 8:06pm


Topic: zipped excel spam
Posted By: ImInAfrica
Subject: zipped excel spam
Date Posted: 29 July 2007 at 11:18am

Hi,
Anyone else getting excel spreadsheets inside a zip file, which is stock spam?

BIG red letters:

Turn $10,000 into $40,000
INVEST IN EXCHANGE MOBILE (OTC: EXMT)


 


Replies:
Posted By: Thermo
Date Posted: 29 July 2007 at 8:14pm
I am seeing these, email body is blank as well. This update is in the latest version, maybe it could be made to handle other attachment types with blank email bodies? We could specify the attachment types or use a wildcard for any type.

Thermo


{TODO -cNew : SpamFilter will now block emails that contain an empty, blank body and also a PDF attachment, the new setting in the .ini file is on by default: BlockBlankEmailsWithPDFAttachments=true}

Posted By: LogSat
Date Posted: 29 July 2007 at 11:17pm
We're beta testing a new build which is doing exactly what Thermo suggested. If testing goes well, we'll be releasing it publicly within a few days. Please contact us by email if you wish to test it (licensed users only). Please also include your order number in the email.

The change replaces the option in the SpamFilter.ini file introduced with build 700 (BlockBlankEmailsWithPDFAttachments) with the following:

;SpamFilter can block emails that contain only an empty, blank body and one of the following attachment. Clear the list if you don't want to stop such emails. Specify multiple attachments separated by commas
BlockBlankEmailsWithAttachments=*.pdf



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Stupid
Date Posted: 30 July 2007 at 10:50am
Why not just block *.zip? I block all emails with any executable or audio/video or compressed file.

You may not want to go to this extreme, but blocking zip file is a good practice.

Posted By: mbrusl
Date Posted: 30 July 2007 at 12:01pm
Originally posted by Stupid Stupid wrote:

Why not just block *.zip? I block all emails with any executable or audio/video or compressed file.

You may not want to go to this extreme, but blocking zip file is a good practice.


What happens when you need to receive a zip file or some other format from someone and your blocking it?  Thats why I quarantine them instead.  But then again, I also scan all emails as it enters the gateway.

Michael

Posted By: Stupid
Date Posted: 31 July 2007 at 12:46pm
Don't think we can quarantine attachment based on file type.

Quarantine all executable files is of great risk to me. I actually another 2 lays to catch any executables that may slip through.

If someone wants to send me zip file, I just tell them to rename it to zzz instead of zip.

I really depends. I am running a company, not an ISP which may have very different need on how to satisfy customers and cannot be so restrictive.

For example, Yahoo does not filter our all executables, if I get infected, that would be my problem. However, if my user get infected, that would be my problem because I am not an ISP.

Originally posted by mbrusl mbrusl wrote:

Originally posted by Stupid Stupid wrote:

Why not just block *.zip? I block all emails with any executable or audio/video or compressed file.

You may not want to go to this extreme, but blocking zip file is a good practice.


What happens when you need to receive a zip file or some other format from someone and your blocking it?  Thats why I quarantine them instead.  But then again, I also scan all emails as it enters the gateway.

Michael

Posted By: sgeorge
Date Posted: 31 July 2007 at 1:12pm
I don't think I understand why you have added additional layers in order to block executables.  SpamFilter is capable blocking any pattern of attachments.

I too manage email for an organization, not an entire ISP, so my attachment policy can afford to be more safe and restrictive.  If it's handy, here are all the attachments that I block using SpamFilter:

*.ade
*.adp
*.bas
*.bat
*.chm
*.cmd
*.com
*.cpl
*.crt
*.exe
*.hlp
*.hqx
*.hta
*.inf
*.ins
*.isp
*.js
*.jse
*.lnk
*.mde
*.msc
*.msi
*.msp
*.mst
*.pcd
*.pif
*.reg
*.scr
*.sct
*.shs
*.url
*.uue
*.vb
*.vbe
*.vbs
*.wsc
*.wsf
*.wsh
*.zip

-Stephen

Posted By: Stupid
Date Posted: 31 July 2007 at 2:11pm
Because in some rare cases, SPI lets some attachments through.

Try this:

http://www.gfi.com/emailsecuritytest/

Disclaimer: I don't work for GFI or sell their products. I am just a user who likes their products.

Posted By: sgeorge
Date Posted: 31 July 2007 at 2:22pm
Thanks, that looks like a very handy tool, I will test that out.  I usually test for eicar in a few formats, but haven't encountered a tool with such a variety of tests.  Nice 

Stephen

Posted By: Stupid
Date Posted: 31 July 2007 at 3:04pm
If you save a msg with an attachment, then attach that msg as an attachment, it will go through.

Originally posted by sgeorge sgeorge wrote:

Thanks, that looks like a very handy tool, I will test that out.  I usually test for eicar in a few formats, but haven't encountered a tool with such a variety of tests.  Nice 

Stephen


Print Page | Close Window