You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Eric A. Hall" <eh...@ehsco.com> on 2007/07/14 21:49:17 UTC
plugin to test attachments from unknown senders
Like other folks I've been getting hit with the PDF spam pretty hard. I
think the way to solve this and the image spam in general is to do a
plugin that does two things:
1) looks in the message to see if there is a binary attachment
2) looks in the AWL to see if the sender tuple is known
3) if (1==true) && (2==false) fire a score
I've been meaning to adapt my SAGREY plugin [1] for this but have not had
time and may not have time for a while yet, so I thought I'd throw this
out there to see if anybody else is interested in doing it
[1] http://www.ntrg.com/misc/sagrey/
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: plugin to test attachments from unknown senders
Posted by "Eric A. Hall" <eh...@ehsco.com>.
On 8/11/2007 6:41 PM, Matthias Leisi wrote:
> Don't forget the "ifplugin" conditions:
>
> ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
>> mimeheader __L_C_TYPE_APP Content-Type =~ /^application/i
>> [..]
>
> endif
good point, I've updated the rules and added more comments to explain the
prerequisites at http://www.ntrg.com/misc/spamassassin/stranger_gifts.cf
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: plugin to test attachments from unknown senders
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eric A. Hall schrieb:
Don't forget the "ifplugin" conditions:
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
> mimeheader __L_C_TYPE_APP Content-Type =~ /^application/i
> [..]
endif
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFGvjsjxbHw2nyi/okRAkj8AJ4oRN+TN33dof2uTkJhLegBjxjTSgCgkSK/
uZcNWiJwMnax+OrKFVv2uqg=
=Nr3Q
-----END PGP SIGNATURE-----
Re: plugin to test attachments from unknown senders
Posted by "Eric A. Hall" <eh...@ehsco.com>.
On 7/14/2007 3:49 PM, Eric A. Hall wrote:
> Like other folks I've been getting hit with the PDF spam pretty hard. I
> think the way to solve this and the image spam in general is to do a
> plugin that does two things:
>
> 1) looks in the message to see if there is a binary attachment
>
> 2) looks in the AWL to see if the sender tuple is known
>
> 3) if (1==true) && (2==false) fire a score
I was able to do this with basic rules. Note the low (0.1) scores. It
would be nice to use this as a DEFER check in the MTA, since resends will
hit the AWL rule and get cleared.
#
# This rule looks for in-line MIME Content-Type headers of various
# types, and then looks to see if the sender tuple is already known
# to the autowhitelist system. If the message contains a binary
# attachment and the sender tuple is unknown, fire a rule that tells
# us that the message is a gift from a stranger.
#
mimeheader __L_C_TYPE_APP Content-Type =~ /^application/i
mimeheader __L_C_TYPE_IMAGE Content-Type =~ /^image/i
mimeheader __L_C_TYPE_AUDIO Content-Type =~ /^audio/i
mimeheader __L_C_TYPE_VIDEO Content-Type =~ /^video/i
mimeheader __L_C_TYPE_MODEL Content-Type =~ /^model/i
meta L_STRANGER_APP (!AWL && __L_C_TYPE_APP)
score L_STRANGER_APP 0.1
tflags L_STRANGER_APP noautolearn
priority L_STRANGER_APP 1001 # defer till after AWL
meta L_STRANGER_IMAGE (!AWL && __L_C_TYPE_IMAGE)
score L_STRANGER_IMAGE 0.1
tflags L_STRANGER_IMAGE noautolearn
priority L_STRANGER_IMAGE 1001 # defer till after AWL
meta L_STRANGER_AUDIO (!AWL && __L_C_TYPE_AUDIO)
score L_STRANGER_AUDIO 0.1
tflags L_STRANGER_AUDIO noautolearn
priority L_STRANGER_AUDIO 1001 # defer till after AWL
meta L_STRANGER_VIDEO (!AWL && __L_C_TYPE_VIDEO)
score L_STRANGER_VIDEO 0.1
tflags L_STRANGER_VIDEO noautolearn
priority L_STRANGER_VIDEO 1001 # defer till after AWL
meta L_STRANGER_MODEL (!AWL && __L_C_TYPE_MODEL)
score L_STRANGER_MODEL 0.1
tflags L_STRANGER_MODEL noautolearn
priority L_STRANGER_MODEL 1001 # defer till after AWL
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: plugin to test attachments from unknown senders
Posted by SM <sm...@resistor.net>.
At 12:49 14-07-2007, Eric A. Hall wrote:
>Like other folks I've been getting hit with the PDF spam pretty hard. I
>think the way to solve this and the image spam in general is to do a
>plugin that does two things:
>
> 1) looks in the message to see if there is a binary attachment
>
> 2) looks in the AWL to see if the sender tuple is known
>
> 3) if (1==true) && (2==false) fire a score
You might also verify the AWL score in step to and fire step 3 if
that score is above an arbitrary value. Note that your rule may
trigger false positive for one-time senders.
Regards,
-sm
RE: plugin to test attachments from unknown senders
Posted by Dan Barker <db...@visioncomm.net>.
Aren't spammer tuples in the AWL too? I thought that it averaged both ways;
Country AND Western.
Dan
-----Original Message-----
From: Eric A. Hall [mailto:ehall@ehsco.com]
Sent: Saturday, July 14, 2007 3:49 PM
To: users@spamassassin.apache.org
Subject: plugin to test attachments from unknown senders
Like other folks I've been getting hit with the PDF spam pretty hard. I
think the way to solve this and the image spam in general is to do a plugin
that does two things:
1) looks in the message to see if there is a binary attachment
2) looks in the AWL to see if the sender tuple is known
3) if (1==true) && (2==false) fire a score
I've been meaning to adapt my SAGREY plugin [1] for this but have not had
time and may not have time for a while yet, so I thought I'd throw this out
there to see if anybody else is interested in doing it
[1] http://www.ntrg.com/misc/sagrey/
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/