> -----Original Message----- > From: Dave Koontz [mailto:[EMAIL PROTECTED] > Sent: Sunday, 24 February 2008 5:09 p.m. > To: users@spamassassin.apache.org > Subject: Please help with rule > > I am still getting some Storm Worm messages that are not being caught, > even with Sane Security / ClamAV. I thought I'd write a rule to score > any URL that has a dot exe, scr or pif extension. However, my rule is > not working. Can someone help advise what is wrong? I want it to > pickup any http or https with those extensions. > > > body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i > describe Dangerous_URL Dangerous URL > score Dangerous_URL 7.5 > > Thanks in advance!
I don't know if its standard practise on the list, but I do my attachment filtering with Simscan, not Spamassassin, using "/var/qmail/control/simcontrol" where config reads: [EMAIL PROTECTED]:clam=yes,spam=no [EMAIL PROTECTED]:clam=yes,spam=no :clam=yes,spam=yes,spam_hits=20,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif The first two lines mean that for the two domains listed, there will be no spam checking (Spamassassin), and there will be antivirus scanning (clamav). The last line is global configuration, so for every other site, antivirus checking, and spamassasssin checking are switched on, plus we block the listed attachments outright. Sorry if you don't run Simscan, just thought I'd post my $0.2 Cheers, Michael Hutchinson
