Geek Answers Handbook

Get spamassassin to send emails containing a specific REGEX in the attached file names

newbie asks the first question :)

I am running a mail server (Ubuntu / Postfix / Dovecot) using SpamAssassin. Most known spam messages are flagged (RBL and obvious UCE), with the exception of this particular malspam in attached zip files, such as "order_info_654321.zip", "paymet_document_123456.zip" etc. When it does not comply with any other SA rules, I I would like to get a rule that throws the relevant criminals into oblivion.

After scrolling through regex101.com , I got an expression that matches these patterns exclusively:

/\w+[_][0-9]{6}.zip$/img

Question ... How to format everything, make it work, and where to put it? So far I have edited /etc/spamassassin/local.cf , added this to the bottom and restarted:

 mimeheader TROJAN_ATTACHED Content-Type =~ /\w+[_][0-9]{6}.zip$/img describe ZIP_ATTACHED email contains a zip trojan attachment score TROJAN_ATTACHED 99.

But that doesn't look like magic. Where else can I find this?

Thanks to everyone, Keio.-

+6
source share
3 answers

First, SA does not by default drop emails, but it can take them so high in spam content that they don’t appear to anyone in your inbox. Secondly, the “ingredients” I started with were wrong, plus messed up with the ability of SA to function at all.

Actually this trick was added in /etc/spamassassin/local.cf :

 full TROJAN_ZIPUNDS /\w*[_][\d]{1,6}\.zip/img score TROJAN_ZIPUNDS 99 describe TROJAN_ZIPUNDS RM zip attached trojan underscore

Despite the fact that these spammers have been changed from zip to rar to emphasize dashes, different file names, etc., creating rules to deal with them has become easy after success with the first. Here is what I added:

 full TROJAN_RARDASH /\w*[-][\d]{1,6}\.rar/img score TROJAN_RARDASH 99 describe TROJAN_RARDASH RM rar attached trojan dash

In addition, as described above, I had to specifically block some zip file names, which soon turned into rar and dash, so converting a regular expression and adding a triad as a rule to spamassassin local.cf (and restarting) is currently running, until next spam wave :-)

Finally, this is a very very dumb workaround, so anyone with experience in this area is more than welcome to listen.

+2
source

You have the wrong regular expression. You do not need $ char at the end, because name strings are not necessarily at the end of the Content-Type header. Instead, you can use the word binding \b anchor. In my rules, I have the following and it works fine:

 mimeheader MIME_FAIL Content-Type =~ /\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh|reg)\b/i describe MIME_FAIL Blacklisted file extension detected score MIME_FAIL 5
+1
source

You are using the wrong mime header to check the file name. Use this instead:

  mimeheader TROJAN_ATTACHED Content-Disposition =~ /\w+[_][0-9]{6}.zip/img

Also make sure the MimeHeader plugin is loaded.

 loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
0
source

More articles:


All Articles