The current development version has a new feature to detect such mails. 2018-12-03 fixed in assp 2.6.2 *Fortress* build 18337:
added: - 'DoNoFromSelect','Select Checks for From: and Sender: Header' Select which check should be done in DoNoFrom . 1 - from: and sender: header tag are both missing 2 - different domains found in from: and sender: email addresses 4 - multiple from: addresses or from: header tags found 8 - multiple sender: addresses or sender: header tags found 16 - no or an invalid email address found in from: header tag 32 - no or an invalid email address found in sender: header tag Simply form the sum of the numbers in front of the checks you want to select (0...63). Default vaule is 63 (1+2+4+8+16+32) - all checks are selected.' >make the user open the attached document (usually .doc containing macro viruses not identified by ClamAV) configure ClamAV to detect OLE2 content use the ASSP_AFC.pm plugin to detect executable code in attachments (including .doc with macro) Thomas Von: <marka...@gmx.de> An: <assp-user@lists.sourceforge.net> Datum: 21.12.2018 11:10 Betreff: [Assp-user] Regular expression to identify malformed FROM: header These days there's a lot of incoming mails with a malformed FROM: header looking like this: From: Real Person <real.per...@wellknowndomain.com> <spam...@anydomain.xy> This header fools MS Outlook (and probably other mail clients) to show the well known real e-mail-address to make the user open the attached document (usually .doc containing macro viruses not identified by ClamAV). I'm wondering if we could use bombHeaderRe to identify and score/block these messages. How should a regular expression look like to do that? Regards, Markus PS: season's greetings to all of you. _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
