Hi Marc
Thanks for pointing that out - I actually tought I'd be blocking .pifs but didn't think of this when I received that mail - after looking in my amavis I saw that only the double extensions were enabled, I customized the normal ones and activated them.
But I'm still curious WHY my rules didn't catch on anything?!
Like I said, I encountered the same results when using body, rawbody or full and I've also tried with shorter strings like /dear user/i
... but all THIS mails here trigger the rules, but not the original one. Is there something wrong with SA not correctly finding the text?? (I'm using 2.63 btw)
Thanks
Matt
Marc Kool wrote:
Matthias,
I recommend to block all .pif files as well as some other "dangerous ones":
From my amavis.conf:
$banned_filename_re = new_RE(
qr'^UNDECIPHERABLE$', # password protected zip files
qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll|reg)$'i, # double extension
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|reg)$'i, # banned extension - basic
qr'.\.(vb|vbe|js|jse|com)$'i, # banned extension - VB and Java
...
Depending on the files that you receive, you may want to remove a few files suffixes.
-Marc
Pierre Thomson wrote:
As others will no doubt point out, SpamAssassin is not a virus scanner, and if you getting viruses through your gateway you should be looking for a better virus scanner...
That said, I would use "body" tests rather than "full". Body tests will strip out invisible HTML codes from the mail, so you can match text as your mail reader displays it.
Also, I would avoid trying to match a very long text string. Rather, look for unique keywords or phrases, like:
body VTEST1 /to send a huge amount of junk email/ describe VTEST1 phrase found in virus mails score VTEST1 2.0
body VTEST2 /compromised and now runs a hidden proxy/ describe VTEST2 phrase found in virus mails score VTEST2 2.0
body VTEST3 /instructions in order to keep your computer/ describe VTEST3 phrase found in virus mails score VTEST3 2.0
It's best to make a set of rules and eith use additive scoring or a META rule to combine them. That way, the occasional mail that may match one test will not be killed.
Pierre Thomson BIC
-----Original Message----- From: Matthias Keller [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: Trying to catch those latest virii....
Hi
There seems to be a virus spreading, I've received it several times, it goes like this:
Subject: Returned mail: see transcript for details
Body:
Dear user of <maildomain>,
We have received reports that your email account has been used to send a huge amount of junk email during this week.
Obviously, your computer was compromised and now runs a hidden proxy server.
Please follow our instructions in order to keep your computer safe.
Best regards, <maildomain> user support team.
attached is a .pif file no virusscanner (yet?) detects as spam.
So I wanted to write a rule against those sentences, but whatever I try, no rule will match....
I tried:
full _MKE_xVIRUS1 /We have received reports that your email account has been used to send a huge amount of junk email/i
full _MKE_xVIRUS2 /Obviously, your computer was compromised and now runs a hidden proxy server/i
and added for each one a score and a description
I also tried body, rawbody but still NO match at all!
The Mail has a MIME Type of multipart/mixed
and the first part is:
------=_NextPart_000_0001_F824EC38.FBF36544 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit
<here comes the mail body...>
Am I doing something wrong that my rules wont trigger? The file should be read as other rules out of the same file matched regularly over the last few days...
Thanx
Matt
