On 11/3/2022 3:40 μ.μ., Matus UHLAR - fantomas wrote:
I've had this problem too, in spamassassin you can:
uncomment in v343.pre:
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
define rule:
body L_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
define meta rule for already existing __PDS_FROM_2_EMAILS:
meta L_FROM_2_EMAILS (__PDS_FROM_2_EMAILS)
- there's T_PDS_FROM_2_EMAILS which unfortunately does not hit when
e.g. DKIM signature exists
and maybe meta rule for these:
meta L_FROM_2_ENCRYPTED L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS
On 12.03.22 01:34, Nikolaos Milas wrote:
So, this would form a rule set like the following?
body L_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
meta L_FROM_2_EMAILS (__PDS_FROM_2_EMAILS)
meta L_FROM_2_ENCRYPTED L_OLEMACRO_ZIP_PW && __PDS_FROM_2_EMAILS
describe L_FROM_2_ENCRYPTED encrypted attachment and two mails
score L_FROM_2_ENCRYPTED 5
Is the above block valid? If not, please kindly correct.
looks perfectly valid. Note that L_OLEMACRO_ZIP_PW and L_FROM_2_EMAILS each
score 1 point by default.
If this is not what you want, start name with __
... I use L_ as prefix for local rules, __ prefixes test rules (no score by
default) and T_ prefixes test rules (score 0.01 by default).
rules with score 0 are not evaluated unless they are prefixed with __
Also, what should I do to catch (and score) ALL mails with 2 different
mail addresses in the From header (regardless whether there is an
encrypted zip attachment or not)?
the __PDS_FROM_2_EMAILS should catch excatly this, but since the rule name
starts with __, it has no points by default.
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
