10-28-2016 12:06 AM
This week we got a lot of spam. Every spam mail has a zip-attachment with a *.wsf File in it.
(e.g.Receipt 4382-0694.zip -> Receipt 12060-610911.wsf)
https://myonlinesecurity.co.uk/blank-email-receipt-malspam-delivers-locky-thor-version/
I wrote this filter to delete every attachment containing a js, wsf, jse File.
drop-js-jse-wsf: if attachment-filename == "\\.(js|wsf|jse)$"
{
drop-attachments-by-name("\\.(js|wsf|jse)$");
}
This filter works, but only when the mail will not be quarantined from the outbreak filter.
I always thought, the pipeline order is, first filter (cli or gui) then outbreak filter.
It seems the filter doesn't match when the mail has the outbreak filter verdict = negative.
Do i have a misconception?
File attachment to this mail= jpg with outbreakfilter verdict = negative (filter works) and jpg with outbreakfilter positive =filter untouched
Current AsyncOS Version: 10.0.0-203
10-28-2016 07:35 AM
Hi,
The message filter should strip the attachment even if it triggers the outbreak rules later on in the email pipeline.
I would suspect the email in question where outbreak filter was triggered just did not match the filter condition or there was another filter above it in order which caused this filter to be skipped.
I would recommend adding log entries to all filters in use to track how such emails flow through the pipeline and which filters are triggered along the way.
Thanks
Libin Varghese
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide