and it works GREAT. On Sat, Dec 22, 2018 at 12:00 AM Thomas Eckardt <thomas.ecka...@thockar.com> wrote:
> The current development version has a new feature to detect such mails. > > 2018-12-03 > fixed in assp 2.6.2 *Fortress* build 18337: > > added: > > - 'DoNoFromSelect','Select Checks for From: and Sender: Header' > Select which check should be done in DoNoFrom . > > 1 - from: and sender: header tag are both missing > 2 - different domains found in from: and sender: email addresses > 4 - multiple from: addresses or from: header tags found > 8 - multiple sender: addresses or sender: header tags found > 16 - no or an invalid email address found in from: header tag > 32 - no or an invalid email address found in sender: header tag > > Simply form the sum of the numbers in front of the checks you want to > select (0...63). Default vaule is 63 (1+2+4+8+16+32) - all checks are > selected.' > > > >make the user open the attached document (usually .doc containing macro > viruses not identified by ClamAV) > > configure ClamAV to detect OLE2 content > use the ASSP_AFC.pm plugin to detect executable code in attachments > (including .doc with macro) > > Thomas > > > > > > Von: <marka...@gmx.de> > An: <assp-user@lists.sourceforge.net> > Datum: 21.12.2018 11:10 > Betreff: [Assp-user] Regular expression to identify malformed > FROM: header > ------------------------------ > > > > > > These days there's a lot of incoming mails with a malformed FROM: header > looking like this: > From: Real Person <real.per...@wellknowndomain.com> <spam...@anydomain.xy> > > This header fools MS Outlook (and probably other mail clients) to show the > well known real e-mail-address to make the user open the attached document > (usually .doc containing macro viruses not identified by ClamAV). > > I'm wondering if we could use bombHeaderRe to identify and score/block > these messages. How should a regular expression look like to do that? > > Regards, > Markus > > PS: season's greetings to all of you. > > > > > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user > > > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user >
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
