Jay Hall wrote:
> I am experiencing a problem with one of my rules that I
> cannot seem to find.
>
> I have the following rules defined.
>
> rawbody __RAW_EXE_ATTACHMENT /filename=\".*\.exe\"/i
> rawbody __RAW_VBS_ATTACHMENT /filename=\".*\.exe\"/i
> rawbody __RAW_COM_ATTACHMENT /filename=\".*\.com\"/i
> rawbody __RAW_PIF_ATTACHMENT /filename=\".*\.pif\"/i
> rawbody __RAW_CMD_ATTACHMENT /filename=\".*\.cmd\"/i
> rawbody __RAW_BAT_ATTACHMENT /filename=\".*\.bat\"/i
>
> meta ATTACHMENT_RULES (__RAW_EXE_ATTACHMENT || __RAW_VBS_ATTACHMENT ||
> __RAW_COM_ATTACHMENT || __RAW_PIF_ATTACHMENT ||
> __RAW_CMD_ATTACHMENT ||
> __RAW_BAT_ATTACHMENT)
>
> score ATTACHMENT_RULES 25.00
>
> Any attachments listed above will be properly identified as and the
> tests run with the exception of an EXE attachment. A filename with an
> .exe extension is not flagged.
>
> I have added an additional rule that checks for an .exe
> attachment, that
> is not part of the meta rule, and I receive the same results. This
> leads me to believe there is something wrong with my test for .exe
> attachments.
>
> I am running SA 2.64, spamd, and it is invoked from q-mail.
>
> Any suggestions would be greatly appreciated.
>
> Thanks in advance for your assistance.
>
>
>
> Jay Hall
How about trying:
rawbody ATTACHMENT_RULES
/filename=\"?.*\.(?:exe|vbs|com|pif|cmd|bat|cpl|scr)\"?\s*$/i
score ATTACHMENT_RULES 25.00
Note: added .cpl and .scr
added end-of-line test $ to avoid false positives on things like
"example.com contract.doc"
made quotes optional
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
