You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Sergio <se...@gmail.com> on 2011/11/19 12:42:43 UTC
Re: Help with constructing a rule for MCP
> Hi all,
> I am new to the list and want thank you in advance if you help me on this.
>
> I am creating the following rule:
>
> header VIRUS_DHL1 FROM =~ /dhl-usa.com/i
> header VIRUS_DHL2 ALL =~ /text inside the email to check for/i
> meta VIRUS_DHLTOTAL (VIRUS_DHL1 && VIRUS_DHL2)
> describe VIRUS_DHLTOTAL DHL-USA Virus
> score VIRUS_DHLTOTAL 11
>
> But the rule is not working fine. Any idea what is the error with this
> rule?
>
> By the way, if you wonder if my antivirus has stopped this, yes it has
> stopped all the emails that comes with the exe file attached to the email,
> but there was a lot of them that didn't come with the EXE file and for that
> is why I am creating this rule.
>
> Best Regards,
>
> Sergio Cabrera
>
Re: Help with constructing a rule for MCP
Posted by John Hardin <jh...@impsec.org>.
On Sat, 19 Nov 2011, Sergio wrote:
>> I am new to the list and want thank you in advance if you help me on this.
>>
>> I am creating the following rule:
>>
>> header VIRUS_DHL1 FROM =~ /dhl-usa.com/i
>> header VIRUS_DHL2 ALL =~ /text inside the email to check for/i
>> meta VIRUS_DHLTOTAL (VIRUS_DHL1 && VIRUS_DHL2)
>> describe VIRUS_DHLTOTAL DHL-USA Virus
>> score VIRUS_DHLTOTAL 11
>>
>> But the rule is not working fine. Any idea what is the error with this
>> rule?
Please post a sample message with all headers intact to a pastebin so we
can see it.
Note that poison-pill rules are generally discouraged.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
There is no better measure of the unthinking contempt of the
environmentalist movement for civilization than their call to turn
off the lights and sit in the dark. -- Sultan Knish
-----------------------------------------------------------------------
346 days since the first successful private orbital launch (SpaceX)
Re: Help with constructing a rule for MCP
Posted by Sergio <se...@gmail.com>.
I finally make my MCP rule like this:
header __VIRUS_DHL1 FROM =~ /dhl-usa.com/i
header __VIRUS_DHL2 ALL =~ /CommuniGate Pro SMTP 5.2.3/i
meta VIRUS_DHLTOTAL (__VIRUS_DHL1 && __VIRUS_DHL2)
describe VIRUS_DHLTOTAL Correo con virus de DHL-USA
score VIRUS_DHLTOTAL 11
One more option that I will like to add, for this rule to check is for
attachments, where do I look for the attachment file, it is in the body?
Once again, thank you.
Sergio
On Sat, Nov 19, 2011 at 10:45 AM, Sergio <se...@gmail.com> wrote:
> RW,
> Now I understand why it gave a 1 point when I declared 11 on the score,
> lol.
>
> I was trying to follow the spamassassin tutorial and saw the example, it
> shows the two underscore but never said that they are kind of mandatory,
> thanks a lot for pointing this out.
>
> John Harding,
> this is one header of the emails that I received:
>
> *******************************
> Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90])
> by MY-SERVER with smtp (Exim 4.69)
> (envelope-from <pl...@dhl-usa.com>)
> id 1RQNQZ-0002Q1-QD
> for MY-USER@DOMAIN.COM; Tue, 15 Nov 2011 12:08:15 -0600
> Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
> by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69)
> (envelope-from )
> id 1MMQJ8-3051eb-TY
> for <MY...@DOMAIN.COM>; Tue, 15 Nov 2011 19:08:13 +0100
> Message-ID: <12...@azbvbczcdgxeoq.mqfphqgytobofv.com>
> From: UPS Support <au...@ups.com>
> To: <pa...@macred.com>
> Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
> Date: Tue, 15 Nov 2011 19:08:13 +0100
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0006_01CCA3C9.EBFEF390"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 5.00.2919.6600
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
> *******************************
>
> Thanks a lot for your kind answers.
>
> Best Regards,
>
> Sergio Cabrera
>
>
> On Sat, Nov 19, 2011 at 8:18 AM, RW <rw...@googlemail.com> wrote:
>
>> On Sat, 19 Nov 2011 05:42:43 -0600
>> Sergio wrote:
>>
>>
>>
>> > header VIRUS_DHL2 ALL =~ /text inside the email to check for/i
>>
>> This looks for the text in all of the headers. If you meant to look in
>> the body, then you want:
>>
>> body VIRUS_DHL2 /text inside the email to check for/i
>>
>> You should also consider naming the sub-rules with two leading
>> underscore (like __VIRUS_DHL2), or explicitly score them, to prevent
>> then having a one point default score.
>>
>
>
Re: Fwd: Help with constructing a rule for MCP
Posted by Sergio <se...@gmail.com>.
That was the error, the @ has to be escaped \@, now it is working.
Thank you all for your help on this rule.
Regards,
Sergio
On Mon, Nov 21, 2011 at 1:16 PM, Bowie Bailey <Bo...@buc.com> wrote:
> On 11/21/2011 1:30 PM, Sergio wrote:
> > Unfortunately, it seems that MCP doesn't like the rule:
> >
> > header __ENV_FROM_DHL Received =~ /envelope-from [^
> > @]+@dhl(?:[-_][^ .]+)?\.com/i
> > header __FROM_DHL From =~ /\bdhl(?:[-_][^
> .]+)?\.com/i
> > header __ENV_FROM_UPS Received =~ /envelope-from [^
> > @]+@ups\.com/i
> >
> > header __FROM_UPS From =~ /\bups\.com/i
> > meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
> > (__ENV_FROM_UPS && __FROM_DHL)
> > describe DHL_UPS_MISMATCH virus DHL-USA or UPS
> > score DHL_UPS_MISMATCH 11
> >
> > When I wrote this to the MPC rules file, none of my other rules work.
>
> I'm not sure if escaping the "@" symbols is required or not, but try this:
>
> header __ENV_FROM_DHL Received =~ /envelope-from [^
> \@]+\@dhl(?:[-_][^ .]+)?\.com/i
> header __ENV_FROM_UPS Received =~ /envelope-from [^
> \@]+\@ups\.com/i
>
> --
> Bowie
>
Re: Fwd: Help with constructing a rule for MCP
Posted by Bowie Bailey <Bo...@BUC.com>.
On 11/21/2011 1:30 PM, Sergio wrote:
> Unfortunately, it seems that MCP doesn't like the rule:
>
> header __ENV_FROM_DHL Received =~ /envelope-from [^
> @]+@dhl(?:[-_][^ .]+)?\.com/i
> header __FROM_DHL From =~ /\bdhl(?:[-_][^ .]+)?\.com/i
> header __ENV_FROM_UPS Received =~ /envelope-from [^
> @]+@ups\.com/i
>
> header __FROM_UPS From =~ /\bups\.com/i
> meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
> (__ENV_FROM_UPS && __FROM_DHL)
> describe DHL_UPS_MISMATCH virus DHL-USA or UPS
> score DHL_UPS_MISMATCH 11
>
> When I wrote this to the MPC rules file, none of my other rules work.
I'm not sure if escaping the "@" symbols is required or not, but try this:
header __ENV_FROM_DHL Received =~ /envelope-from [^
\@]+\@dhl(?:[-_][^ .]+)?\.com/i
header __ENV_FROM_UPS Received =~ /envelope-from [^
\@]+\@ups\.com/i
--
Bowie
Re: Fwd: Help with constructing a rule for MCP
Posted by Ricardo Ardila Vetrovec <rv...@unimet.edu.ve>.
Did you try to monitor the log looking if the rule was detected?
El 21/11/2011 02:00 p.m., Sergio escribió:
> Unfortunately, it seems that MCP doesn't like the rule:
>
> header __ENV_FROM_DHL Received =~ /envelope-from [^
> @]+@dhl(?:[-_][^ .]+)?\.com/i
> header __FROM_DHL From =~ /\bdhl(?:[-_][^ .]+)?\.com/i
> header __ENV_FROM_UPS Received =~ /envelope-from [^
> @]+@ups\.com/i
>
> header __FROM_UPS From =~ /\bups\.com/i
> meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
> (__ENV_FROM_UPS && __FROM_DHL)
> describe DHL_UPS_MISMATCH virus DHL-USA or UPS
> score DHL_UPS_MISMATCH 11
>
> When I wrote this to the MPC rules file, none of my other rules work.
>
> Regards,
>
> Sergio
>
>
>
>
> On Mon, Nov 21, 2011 at 10:55 AM, Bowie Bailey <Bowie_Bailey@buc.com
> <ma...@buc.com>> wrote:
>
> On 11/21/2011 11:35 AM, John Hardin wrote:
> > On Mon, 21 Nov 2011, Bowie Bailey wrote:
> >
> >> On 11/20/2011 10:02 PM, Sergio wrote:
> >>> header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^
> >>> .]+\.com/i
> >>> header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
> >> These will match any domain that starts with "dh" and ends with
> ".com".
> > You overlooked the "l".
>
> Hmm... Guess I did...
>
> >
> >> For example, they will match "someuser@dhalailama.com
> <ma...@dhalailama.com>". Is this
> >> expected?
> > It won't.
> >
> >> If you just want to match a single character, then get rid of
> >> the +.
> > It's to match "-usa" or other dhl domain name variants. The line
> wrap in
> > email makes that look like a single character RE. The actual RE I
> > suggested is:
> >
> > /envelope-from [^ @]+@dhl[^ .]+\.com/i
>
> The line wrap wasn't an issue. I just didn't see the "l". And with
> this font, I think I see why I didn't see it the first time. It
> blends
> in with the square bracket.
>
> > It also won't match "dhl.com <http://dhl.com>". My bad. As I
> said, it was off the top of my
> > head.
> >
> > These might be better:
> >
> > /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i
> >
> > /\bdhl(?:[-_][^ .]+)?\.com/i
>
> Do the "@" characters need to be escaped? In a normal Perl RE they
> would, but I'm not sure if SA is treating them any differently
> since it
> is reading them in from a config file.
>
> --
> Bowie
>
>
>
--
-----------------------------------------
Ricardo Ardila Vetrovec
Gerente de Redes
CeTIC -- UNIMET
tlf: 2403743
Re: Fwd: Help with constructing a rule for MCP
Posted by John Hardin <jh...@impsec.org>.
On Mon, 21 Nov 2011, Sergio wrote:
> Unfortunately, it seems that MCP doesn't like the rule:
>
> header __ENV_FROM_DHL Received =~ /envelope-from [^
> @]+@dhl(?:[-_][^ .]+)?\.com/i
> header __FROM_DHL From =~ /\bdhl(?:[-_][^ .]+)?\.com/i
> header __ENV_FROM_UPS Received =~ /envelope-from [^
> @]+@ups\.com/i
>
> header __FROM_UPS From =~ /\bups\.com/i
> meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
> (__ENV_FROM_UPS && __FROM_DHL)
> describe DHL_UPS_MISMATCH virus DHL-USA or UPS
> score DHL_UPS_MISMATCH 11
>
> When I wrote this to the MPC rules file, none of my other rules work.
Bowie is right. I missed escaping the at signs. Put a backslash in front
of each one that isn't in square brackets:
/envelope-from [^ @]+\@ups\.com/i
But that shouldn't break _other_ rules...
>
> On Mon, Nov 21, 2011 at 10:55 AM, Bowie Bailey <Bo...@buc.com> wrote:
>
>> On 11/21/2011 11:35 AM, John Hardin wrote:
>>> On Mon, 21 Nov 2011, Bowie Bailey wrote:
>>>
>>>> On 11/20/2011 10:02 PM, Sergio wrote:
>>>>> header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^
>>>>> .]+\.com/i
>>>>> header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
>>>> These will match any domain that starts with "dh" and ends with ".com".
>>> You overlooked the "l".
>>
>> Hmm... Guess I did...
>>
>>>
>>>> For example, they will match "someuser@dhalailama.com". Is this
>>>> expected?
>>> It won't.
>>>
>>>> If you just want to match a single character, then get rid of
>>>> the +.
>>> It's to match "-usa" or other dhl domain name variants. The line wrap in
>>> email makes that look like a single character RE. The actual RE I
>>> suggested is:
>>>
>>> /envelope-from [^ @]+@dhl[^ .]+\.com/i
>>
>> The line wrap wasn't an issue. I just didn't see the "l". And with
>> this font, I think I see why I didn't see it the first time. It blends
>> in with the square bracket.
>>
>>> It also won't match "dhl.com". My bad. As I said, it was off the top of
>> my
>>> head.
>>>
>>> These might be better:
>>>
>>> /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i
>>>
>>> /\bdhl(?:[-_][^ .]+)?\.com/i
>>
>> Do the "@" characters need to be escaped? In a normal Perl RE they
>> would, but I'm not sure if SA is treating them any differently since it
>> is reading them in from a config file.
>>
>> --
>> Bowie
>>
>
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The difference is that Unix has had thirty years of technical
types demanding basic functionality of it. And the Macintosh has
had fifteen years of interface fascist users shaping its progress.
Windows has the hairpin turns of the Microsoft marketing machine
and that's all. -- Red Drag Diva
-----------------------------------------------------------------------
348 days since the first successful private orbital launch (SpaceX)
Fwd: Help with constructing a rule for MCP
Posted by Sergio <se...@gmail.com>.
Unfortunately, it seems that MCP doesn't like the rule:
header __ENV_FROM_DHL Received =~ /envelope-from [^
@]+@dhl(?:[-_][^ .]+)?\.com/i
header __FROM_DHL From =~ /\bdhl(?:[-_][^ .]+)?\.com/i
header __ENV_FROM_UPS Received =~ /envelope-from [^
@]+@ups\.com/i
header __FROM_UPS From =~ /\bups\.com/i
meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
(__ENV_FROM_UPS && __FROM_DHL)
describe DHL_UPS_MISMATCH virus DHL-USA or UPS
score DHL_UPS_MISMATCH 11
When I wrote this to the MPC rules file, none of my other rules work.
Regards,
Sergio
On Mon, Nov 21, 2011 at 10:55 AM, Bowie Bailey <Bo...@buc.com> wrote:
> On 11/21/2011 11:35 AM, John Hardin wrote:
> > On Mon, 21 Nov 2011, Bowie Bailey wrote:
> >
> >> On 11/20/2011 10:02 PM, Sergio wrote:
> >>> header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^
> >>> .]+\.com/i
> >>> header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
> >> These will match any domain that starts with "dh" and ends with ".com".
> > You overlooked the "l".
>
> Hmm... Guess I did...
>
> >
> >> For example, they will match "someuser@dhalailama.com". Is this
> >> expected?
> > It won't.
> >
> >> If you just want to match a single character, then get rid of
> >> the +.
> > It's to match "-usa" or other dhl domain name variants. The line wrap in
> > email makes that look like a single character RE. The actual RE I
> > suggested is:
> >
> > /envelope-from [^ @]+@dhl[^ .]+\.com/i
>
> The line wrap wasn't an issue. I just didn't see the "l". And with
> this font, I think I see why I didn't see it the first time. It blends
> in with the square bracket.
>
> > It also won't match "dhl.com". My bad. As I said, it was off the top of
> my
> > head.
> >
> > These might be better:
> >
> > /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i
> >
> > /\bdhl(?:[-_][^ .]+)?\.com/i
>
> Do the "@" characters need to be escaped? In a normal Perl RE they
> would, but I'm not sure if SA is treating them any differently since it
> is reading them in from a config file.
>
> --
> Bowie
>
Re: Help with constructing a rule for MCP
Posted by Bowie Bailey <Bo...@BUC.com>.
On 11/21/2011 11:35 AM, John Hardin wrote:
> On Mon, 21 Nov 2011, Bowie Bailey wrote:
>
>> On 11/20/2011 10:02 PM, Sergio wrote:
>>> header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^
>>> .]+\.com/i
>>> header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
>> These will match any domain that starts with "dh" and ends with ".com".
> You overlooked the "l".
Hmm... Guess I did...
>
>> For example, they will match "someuser@dhalailama.com". Is this
>> expected?
> It won't.
>
>> If you just want to match a single character, then get rid of
>> the +.
> It's to match "-usa" or other dhl domain name variants. The line wrap in
> email makes that look like a single character RE. The actual RE I
> suggested is:
>
> /envelope-from [^ @]+@dhl[^ .]+\.com/i
The line wrap wasn't an issue. I just didn't see the "l". And with
this font, I think I see why I didn't see it the first time. It blends
in with the square bracket.
> It also won't match "dhl.com". My bad. As I said, it was off the top of my
> head.
>
> These might be better:
>
> /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i
>
> /\bdhl(?:[-_][^ .]+)?\.com/i
Do the "@" characters need to be escaped? In a normal Perl RE they
would, but I'm not sure if SA is treating them any differently since it
is reading them in from a config file.
--
Bowie
Re: Help with constructing a rule for MCP
Posted by John Hardin <jh...@impsec.org>.
On Mon, 21 Nov 2011, Bowie Bailey wrote:
> On 11/20/2011 10:02 PM, Sergio wrote:
>>
>> header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^
>> .]+\.com/i
>> header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
>
> These will match any domain that starts with "dh" and ends with ".com".
You overlooked the "l".
> For example, they will match "someuser@dhalailama.com". Is this
> expected?
It won't.
> If you just want to match a single character, then get rid of
> the +.
It's to match "-usa" or other dhl domain name variants. The line wrap in
email makes that look like a single character RE. The actual RE I
suggested is:
/envelope-from [^ @]+@dhl[^ .]+\.com/i
It also won't match "dhl.com". My bad. As I said, it was off the top of my
head.
These might be better:
/envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i
/\bdhl(?:[-_][^ .]+)?\.com/i
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Mine eyes have seen the horror of the voting of the horde;
They've looted the fromagerie where guv'ment cheese is stored;
If war's not won before the break they grow so quickly bored;
Their vote counts as much as yours. -- Tam
-----------------------------------------------------------------------
348 days since the first successful private orbital launch (SpaceX)
Re: Help with constructing a rule for MCP
Posted by Bowie Bailey <Bo...@BUC.com>.
On 11/20/2011 10:02 PM, Sergio wrote:
>
> header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^
> .]+\.com/i
> header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
These will match any domain that starts with "dh" and ends with ".com".
For example, they will match "someuser@dhalailama.com". Is this
expected? If you just want to match a single character, then get rid of
the +.
header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^ .]\.com/i
header __FROM_DHL From =~ /\bdhl[^ .]\.com/i
--
Bowie
Re: Help with constructing a rule for MCP
Posted by Sergio <se...@gmail.com>.
Thank you John,
it was a typo in my email, in my server I wrote the score name the same as
the meta name, the rule in my server is:
header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^
.]+\.com/i
header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i
header __FROM_UPS From =~ /\bups\.com/i
meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
(__ENV_FROM_UPS && __FROM_DHL)
describe DHL_UPS_MISMATCH Correo con virus DHL-USA o UPS
score DHL_UPS_MISMATCH 11
Regards,
Sergio
On Sun, Nov 20, 2011 at 11:33 AM, John Hardin <jh...@impsec.org> wrote:
> On Sat, 19 Nov 2011, Sergio wrote:
>
> meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
>> (__ENV_FROM_UPS && __FROM_DHL)
>> score VIRUS_DHLTOTAL 11
>>
>
> Fix the name on the score.
>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~**jhardin/<http://www.impsec.org/%7Ejhardin/>
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> ------------------------------**------------------------------**
> -----------
> North Korea: the only country in the world where people would risk
> execution to flee to communist China. -- Ride Fast
> ------------------------------**------------------------------**
> -----------
> 347 days since the first successful private orbital launch (SpaceX)
>
Re: Help with constructing a rule for MCP
Posted by John Hardin <jh...@impsec.org>.
On Sat, 19 Nov 2011, Sergio wrote:
> meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) || (__ENV_FROM_UPS && __FROM_DHL)
> score VIRUS_DHLTOTAL 11
Fix the name on the score.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
North Korea: the only country in the world where people would risk
execution to flee to communist China. -- Ride Fast
-----------------------------------------------------------------------
347 days since the first successful private orbital launch (SpaceX)
Re: Help with constructing a rule for MCP
Posted by Sergio <se...@gmail.com>.
Jhon,
thanks a lot for your suggestions I will apply them in my rule, thanks!.
Just a little bit more information about this emails, here is another
header where I got the CommuniGate Pro SMTP 5.2.3:
*******************************
Received: from [81.145.136.213] (helo=dhl-usa.com)
by MY SERVER IP with smtp (Exim 4.69)
(envelope-from <ch...@dhl-usa.com>)
id 1RQvs4-0006uH-Do
for MY CUSTOMER EMAIL; Thu, 17 Nov 2011 00:54:54 -0600
Received: from [53.166.161.121] (account charlescvl91@dhl-usa.com HELO
msrertiksp.dxnbmrblb.com)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 144361206 for <MY CUSTOMER EMAIL>; Thu, 17 Nov 2011
06:54:57 +0000
From: UPS Support <no...@ups.com>
To: <MY CUSTOMER EMAIL>
Subject: UPS Delivery Notification TrackNum 73-2868202-M56DIEQ
Date: Thu, 17 Nov 2011 06:54:57 +0000
Message-ID: <01...@wrfgijnsf.ozyaj.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000E_01CCA4F5.D1299D90"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2741.2600
Importance: Normal
*******************************
Right now I have set this two rules:
header __VIRUS_DHL1 FROM =~ /\b(?dhl-usa|ups)\.com/i
header __VIRUS_DHL2 ALL =~ /CommuniGate Pro SMTP 5.2.3/i
meta VIRUS_DHLTOTAL (__VIRUS_DHL1 && __VIRUS_DHL2)
describe VIRUS_DHLTOTAL Correo con virus de DHL-USA
score VIRUS_DHLTOTAL 11
header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^
.]+\.com/i
header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i
header __FROM_UPS From =~ /\bups\.com/i
meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
(__ENV_FROM_UPS && __FROM_DHL)
score VIRUS_DHLTOTAL 11
Once again, thank you for helping me.
Best Regards,
Sergio Cabrera
On Sat, Nov 19, 2011 at 1:27 PM, John Hardin <jh...@impsec.org> wrote:
> On Sat, 19 Nov 2011, Sergio wrote:
>
> this is one header of the emails that I received:
>>
>> *********************************
>> Received: from 90.red-217-126-251.staticip.**rima-tde.net<http://90.red-217-126-251.staticip.rima-tde.net>([217.126.251.90])
>> by MY-SERVER with smtp (Exim 4.69)
>> (envelope-from <pl...@dhl-usa.com>)
>> id 1RQNQZ-0002Q1-QD
>> for MY-USER@DOMAIN.COM; Tue, 15 Nov 2011 12:08:15 -0600
>> Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
>> by 90.Red-217-126-251.staticIP.**rima-tde.net<http://90.Red-217-126-251.staticIP.rima-tde.net>with esmtpa (Exim 4.69)
>> (envelope-from )
>> id 1MMQJ8-3051eb-TY
>> for <MY...@DOMAIN.COM>; Tue, 15 Nov 2011 19:08:13 +0100
>> Message-ID: <1232210117.3Q65WY5I448622@**azbvbczcdgxeoq.mqfphqgytobofv.**
>> com <12...@azbvbczcdgxeoq.mqfphqgytobofv.com>>
>> From: UPS Support <au...@ups.com>
>> To: <pa...@macred.com>
>> Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
>> Date: Tue, 15 Nov 2011 19:08:13 +0100
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed;
>> boundary="----=_NextPart_000_**0006_01CCA3C9.EBFEF390"
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 5.00.2919.6600
>> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
>> *********************************
>>
>
> Your rules:
>
>
> header __VIRUS_DHL1 FROM =~ /dhl-usa.com/i
> header __VIRUS_DHL2 ALL =~ /CommuniGate Pro SMTP 5.2.3/i
>
> __VIRUS_DHL1 won't hit on this, it's from UPS.COM. Perhaps:
>
> header __VIRUS_DHL1 FROM =~ /\b(?dhl-usa|ups)\.com/i
>
> No "CommuniGate Pro", so _that_ won't hit on this.
>
> I note that the envelope-from _is_ dhl-usa.com; Are DHL and UPS
> affiliated? If not, and if that appears regularly, then perhaps this (off
> the top of my head, untested) would help:
>
> header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i
> header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
>
> header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i
> header __FROM_UPS From =~ /\bups\.com/i
>
> meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
> (__ENV_FROM_UPS && __FROM_DHL)
>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~**jhardin/<http://www.impsec.org/%7Ejhardin/>
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> ------------------------------**------------------------------**
> -----------
> Microsoft is not a standards body.
>
> ------------------------------**------------------------------**
> -----------
> 346 days since the first successful private orbital launch (SpaceX)
>
Re: Help with constructing a rule for MCP
Posted by John Hardin <jh...@impsec.org>.
On Sat, 19 Nov 2011, Sergio wrote:
> this is one header of the emails that I received:
>
> *******************************
> Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90])
> by MY-SERVER with smtp (Exim 4.69)
> (envelope-from <pl...@dhl-usa.com>)
> id 1RQNQZ-0002Q1-QD
> for MY-USER@DOMAIN.COM; Tue, 15 Nov 2011 12:08:15 -0600
> Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
> by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69)
> (envelope-from )
> id 1MMQJ8-3051eb-TY
> for <MY...@DOMAIN.COM>; Tue, 15 Nov 2011 19:08:13 +0100
> Message-ID: <12...@azbvbczcdgxeoq.mqfphqgytobofv.com>
> From: UPS Support <au...@ups.com>
> To: <pa...@macred.com>
> Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
> Date: Tue, 15 Nov 2011 19:08:13 +0100
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0006_01CCA3C9.EBFEF390"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 5.00.2919.6600
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
> *******************************
Your rules:
header __VIRUS_DHL1 FROM =~ /dhl-usa.com/i
header __VIRUS_DHL2 ALL =~ /CommuniGate Pro SMTP 5.2.3/i
__VIRUS_DHL1 won't hit on this, it's from UPS.COM. Perhaps:
header __VIRUS_DHL1 FROM =~ /\b(?dhl-usa|ups)\.com/i
No "CommuniGate Pro", so _that_ won't hit on this.
I note that the envelope-from _is_ dhl-usa.com; Are DHL and UPS
affiliated? If not, and if that appears regularly, then perhaps this (off
the top of my head, untested) would help:
header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i
header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i
header __FROM_UPS From =~ /\bups\.com/i
meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) || (__ENV_FROM_UPS && __FROM_DHL)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Microsoft is not a standards body.
-----------------------------------------------------------------------
346 days since the first successful private orbital launch (SpaceX)
Re: Help with constructing a rule for MCP
Posted by Sergio <se...@gmail.com>.
RW,
Now I understand why it gave a 1 point when I declared 11 on the score, lol.
I was trying to follow the spamassassin tutorial and saw the example, it
shows the two underscore but never said that they are kind of mandatory,
thanks a lot for pointing this out.
John Harding,
this is one header of the emails that I received:
*******************************
Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90])
by MY-SERVER with smtp (Exim 4.69)
(envelope-from <pl...@dhl-usa.com>)
id 1RQNQZ-0002Q1-QD
for MY-USER@DOMAIN.COM; Tue, 15 Nov 2011 12:08:15 -0600
Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69)
(envelope-from )
id 1MMQJ8-3051eb-TY
for <MY...@DOMAIN.COM>; Tue, 15 Nov 2011 19:08:13 +0100
Message-ID: <12...@azbvbczcdgxeoq.mqfphqgytobofv.com>
From: UPS Support <au...@ups.com>
To: <pa...@macred.com>
Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
Date: Tue, 15 Nov 2011 19:08:13 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01CCA3C9.EBFEF390"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
*******************************
Thanks a lot for your kind answers.
Best Regards,
Sergio Cabrera
On Sat, Nov 19, 2011 at 8:18 AM, RW <rw...@googlemail.com> wrote:
> On Sat, 19 Nov 2011 05:42:43 -0600
> Sergio wrote:
>
>
>
> > header VIRUS_DHL2 ALL =~ /text inside the email to check for/i
>
> This looks for the text in all of the headers. If you meant to look in
> the body, then you want:
>
> body VIRUS_DHL2 /text inside the email to check for/i
>
> You should also consider naming the sub-rules with two leading
> underscore (like __VIRUS_DHL2), or explicitly score them, to prevent
> then having a one point default score.
>
Re: Help with constructing a rule for MCP
Posted by RW <rw...@googlemail.com>.
On Sat, 19 Nov 2011 05:42:43 -0600
Sergio wrote:
> header VIRUS_DHL2 ALL =~ /text inside the email to check for/i
This looks for the text in all of the headers. If you meant to look in
the body, then you want:
body VIRUS_DHL2 /text inside the email to check for/i
You should also consider naming the sub-rules with two leading
underscore (like __VIRUS_DHL2), or explicitly score them, to prevent
then having a one point default score.