Re: Delaying mail delivery
> - To inspect mail for badness (there is a better solution in PostfixWould it be possible to explain, what you mean by "a better solution"?
> than hold+cron)
My problem is, that since a while we receive mails containing 0-day
malware which is not recognised by any of our AV scanners
(Trendmicro/postfix relay, Symantec/Exchange and Kaspersky/Client).
Mostly the attachments are ZIP files containing executables (exe, com,
pif, scr). As we have a lot of developers, we do not want to block these
in general (as we already do with non-zipped executables).
The occurences do last only several minutes and the mails are sent only
to a few 100 recipients (~20k Mailboxes). The sources are mainly
compromised freemail accounts, so we can not filter those mails by
origin (rbl, ...) and greylisting is not effective. We even can not
filter based on message content or sender addresses. The mails are very
well forged (good language and design) and the senders vary. On a
regulary base we have dozens of infected workstations.
Sometimes, when we became aware of such a "malware wave", we put all
mails on HOLD over the weekend giving the AV scanners time to update
their patterns. An interesting option would be the ability, to delay the
delivery of mails meeting defined criteria (senders, clients or