Aha!
I just got one of these myself, and the text is in an inline ZIP file! I don't
think any SA rules scan those.
Here's a bit of a raw dump; only the names are changed:
Message-Id: <[EMAIL PROTECTED]>
From: "Mail Delivery Subsystem" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Returned mail: see transcript for details
Date: Tue, 27 Jul 2004 10:19:05 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_278B1AC0.BB1C5953"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
This is a multi-part message in MIME format.
------=_NextPart_000_0006_278B1AC0.BB1C5953
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
------=_NextPart_000_0006_278B1AC0.BB1C5953
Content-Type: application/octet-stream;
name="text.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="text.zip"
...
and it appears like this:
Dear user of domain.com,
Your account was used to send a huge amount of junk email messages during the
recent week.
We suspect that your computer was infected by a recent virus and now contains a
trojaned proxy server.
We recommend you to follow instructions in the attachment in order to keep your
computer safe.
Have a nice day,
domain.com technical support team.
Hmmmm, what can we do about these? I guess you could block inline "text.zip"
until the AV vendors catch up.
PT
-----Original Message-----
From: Matthias Keller [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 27, 2004 10:25 AM
To: Marc Kool
Cc: [EMAIL PROTECTED]
Subject: Re: Trying to catch those latest virii....
Hi Marc
Thanks for pointing that out - I actually tought I'd be blocking .pifs
but didn't think of this when I received that mail - after looking in my
amavis I saw that only the double extensions were enabled, I customized
the normal ones and activated them.
But I'm still curious WHY my rules didn't catch on anything?!
Like I said, I encountered the same results when using body, rawbody or
full and I've also tried with shorter strings like /dear user/i
... but all THIS mails here trigger the rules, but not the original one.
Is there something wrong with SA not correctly finding the text?? (I'm
using 2.63 btw)
Thanks
Matt
Marc Kool wrote:
> Matthias,
> I recommend to block all .pif files as well as some other "dangerous
> ones":
>
>> From my amavis.conf:
>
> $banned_filename_re = new_RE(
> qr'^UNDECIPHERABLE$', # password
> protected zip files
> qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll|reg)$'i, # double
> extension
> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|reg)$'i, # banned extension
> - basic
> qr'.\.(vb|vbe|js|jse|com)$'i, # banned extension
> - VB and Java
> ...
>
> Depending on the files that you receive, you may want to remove a few
> files suffixes.
>
> -Marc
>
>
> Pierre Thomson wrote:
>
>> As others will no doubt point out, SpamAssassin is not a virus
>> scanner, and if you getting viruses through your gateway you should
>> be looking for a better virus scanner...
>>
>> That said, I would use "body" tests rather than "full". Body tests
>> will strip out invisible HTML codes from the mail, so you can match
>> text as your mail reader displays it.
>>
>> Also, I would avoid trying to match a very long text string. Rather,
>> look for unique keywords or phrases, like:
>>
>> body VTEST1 /to send a huge amount of junk email/
>> describe VTEST1 phrase found in virus mails
>> score VTEST1 2.0
>>
>> body VTEST2 /compromised and now runs a hidden proxy/
>> describe VTEST2 phrase found in virus mails
>> score VTEST2 2.0
>>
>> body VTEST3 /instructions in order to keep your computer/
>> describe VTEST3 phrase found in virus mails
>> score VTEST3 2.0
>>
>>
>> It's best to make a set of rules and eith use additive scoring or a
>> META rule to combine them. That way, the occasional mail that may
>> match one test will not be killed.
>>
>> Pierre Thomson
>> BIC
>>
>>
>> -----Original Message-----
>> From: Matthias Keller [mailto:[EMAIL PROTECTED]
>> Sent: Tuesday, July 27, 2004 8:46 AM
>> To: [EMAIL PROTECTED]
>> Subject: Trying to catch those latest virii....
>>
>>
>> Hi
>>
>> There seems to be a virus spreading, I've received it several times,
>> it goes like this:
>> Subject: Returned mail: see transcript for details
>> Body:
>>
>> Dear user of <maildomain>,
>>
>> We have received reports that your email account has been used to
>> send a huge amount of junk email during this week.
>> Obviously, your computer was compromised and now runs a hidden proxy
>> server.
>>
>> Please follow our instructions in order to keep your computer safe.
>>
>> Best regards,
>> <maildomain> user support team.
>>
>> attached is a .pif file no virusscanner (yet?) detects as spam.
>>
>> So I wanted to write a rule against those sentences, but whatever I
>> try, no rule will match....
>>
>> I tried:
>> full _MKE_xVIRUS1 /We have received reports that your email
>> account has been used to send a huge amount of junk email/i
>> full _MKE_xVIRUS2 /Obviously, your computer was compromised and
>> now runs a hidden proxy server/i
>> and added for each one a score and a description
>> I also tried body, rawbody but still NO match at all!
>> The Mail has a MIME Type of multipart/mixed
>> and the first part is:
>>
>> ------=_NextPart_000_0001_F824EC38.FBF36544
>> Content-Type: text/plain;
>> charset=us-ascii
>> Content-Transfer-Encoding: 7bit
>>
>> <here comes the mail body...>
>>
>> Am I doing something wrong that my rules wont trigger? The file
>> should be read as other rules out of the same file matched regularly
>> over the last few days...
>>
>> Thanx
>>
>> Matt
>
>
>
