I had created a plugin to read the headers (just make a HEAD request) of all URIs in an email, and then you can make tests based off them. An example of this would be to look for specific mimetypes at the end of the link, so for example, see if the mimetype is Application/msword.
You can find it here: https://github.com/m50/spamassassin_uriheader I will warn you, this may not necessarily be a great idea, as you may get abuse notifications. I also need to make a few changes to it, but I haven't touched it in a while. First thing I want to do is whitelist certain domains from being header checked. Secondly, is replace the User Agent with one from a legitimate browser (spoofing a browser), just in case. But if you are interested in it, you can take a look. On Tue, Mar 13, 2018 at 10:03 PM, John Hardin <jhar...@impsec.org> wrote: > On Tue, 13 Mar 2018, Bill Cole wrote: > > On 13 Mar 2018, at 14:21 (-0400), John Hardin wrote: >> >> d) Don't accept emails from outside your organization that link to hosted >>> documents. The document needs to be attached, so that it can be scanned. >>> Unfortunately this is not feasible if you're not a (at least >>> semi-)monolithic organization where you can apply such policies. >>> >> >> Also not feasible if any users subscribe to this list or most technical >> discussion mailing lists. For example, here you are likely to get links >> into the SA Wiki or to KAM's rules. On the Postfix list it is a rare week >> that does not have multiple links to the DEBUG_README file posted. >> > > I don't count a plain text file as a "document" in this context. > > The example provided was apparently to a directory (URL ending in '/') but >> redirected to a .doc. >> > > This of course is the weakness with that option. > > > -- > John Hardin KA7OHZ http://www.impsec.org/~jhardin/ > jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > ----------------------------------------------------------------------- > The problem is when people look at Yahoo, slashdot, or groklaw and > jump from obvious and correct observations like "Oh my God, this > place is teeming with utter morons" to incorrect conclusions like > "there's nothing of value here". -- Al Petrofsky, in Y! SCOX > > ----------------------------------------------------------------------- > Tomorrow: Albert Einstein's 139th Birthday > -- - Markus
