Re: Please help with rule
Untested, but try
uri EXECUTABLE_WEBSITE/\.(?:exe|scr|pif)$/i
Loren
- Original Message -
From: Dave Koontz [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Sent: Saturday, February 23, 2008 6:52 AM
Subject: Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
Thanks in advance!
Re: Please help with rule
On Sat, February 23, 2008 15:52, Dave Koontz wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
have you tested if the antivirus plugin caught it ?
below here is what i have in postfix mime_header_checks
/filename=\?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\?$/
REJECT For security reasons we reject attachments of this type
/^\s*Content-(Disposition|Type).*name\s*=\s*?(.+\.(cpl|lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))?\s*$/
REJECT Attachment type not allowed. File $2 has the unacceptable extension
$3
take care of line wraps
Re: Please help with rule
--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz [EMAIL PROTECTED]
wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to pickup
any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
uri Dangerous_URL/http.{1,200}\.(?:exe|scr|pif)/i
I think 'body' excludes html code. You could use 'rawbody' but normally
one uses 'uri' to get links.
More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters. Loren Wilton suggested leaving out
the 'http.{1,200}'.
Note, this would match things like www.scratchy.tld unless you narrow
it further. Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.
Joseph Brennan
Columbia University Information Technology
RE: Please help with rule
Thanks all for the info, the uri check is much better.
Joseph you were absolutely correct about it catching too wide. I modified
it to pattern check the end only and it now works a treat!
uri DANGEROUS_URL/\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i
describe DANGEROUS_URLURL contains executable content
scoreDANGEROUS_URL7.5
Joseph Brennan Wrote:
--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz [EMAIL PROTECTED]
wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to pickup
any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
uri Dangerous_URL/http.{1,200}\.(?:exe|scr|pif)/i
I think 'body' excludes html code. You could use 'rawbody' but normally
one uses 'uri' to get links.
More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters. Loren Wilton suggested leaving out
the 'http.{1,200}'.
Note, this would match things like www.scratchy.tld unless you narrow
it further. Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.
RE: Please help with rule
-Original Message-
From: Dave Koontz [mailto:[EMAIL PROTECTED]
Sent: Sunday, 24 February 2008 5:09 p.m.
To: users@spamassassin.apache.org
Subject: Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
Thanks in advance!
I don't know if its standard practise on the list, but I do my
attachment filtering with Simscan, not Spamassassin, using
/var/qmail/control/simcontrol where config reads:
[EMAIL PROTECTED]:clam=yes,spam=no
[EMAIL PROTECTED]:clam=yes,spam=no
:clam=yes,spam=yes,spam_hits=20,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif
The first two lines mean that for the two domains listed, there will be
no spam checking (Spamassassin), and there will be antivirus scanning
(clamav).
The last line is global configuration, so for every other site,
antivirus checking, and spamassasssin checking are switched on, plus we
block the listed attachments outright.
Sorry if you don't run Simscan, just thought I'd post my $0.2
Cheers,
Michael Hutchinson
