You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by qu...@apache.org on 2005/04/03 05:19:30 UTC
svn commit: r159869 - in spamassassin/trunk: MANIFEST lib/Mail/SpamAssassin/EvalTests.pm lib/Mail/SpamAssassin/Plugin/AntiVirus.pm lib/Mail/SpamAssassin/Plugin/MSExec.pm rules/20_body_tests.cf rules/25_antivirus.cf rules/25_msexec.cf rules/50_scores.cf rules/init.pre

Author: quinlan
Date: Sat Apr  2 19:19:29 2005
New Revision: 159869

URL: http://svn.apache.org/viewcvs?view=rev&rev=159869
Log:
generalize MSExec plugin to be an AntiVirus plugin
bug 2417: move MIME_SUSPECT_NAME to AntiVirus plugin

Added:
    spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm
      - copied, changed from r159861, spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm
    spamassassin/trunk/rules/25_antivirus.cf
      - copied, changed from r159867, spamassassin/trunk/rules/25_msexec.cf
Removed:
    spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm
    spamassassin/trunk/rules/25_msexec.cf
Modified:
    spamassassin/trunk/MANIFEST
    spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm
    spamassassin/trunk/rules/20_body_tests.cf
    spamassassin/trunk/rules/50_scores.cf
    spamassassin/trunk/rules/init.pre

Modified: spamassassin/trunk/MANIFEST
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/MANIFEST?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/MANIFEST (original)
+++ spamassassin/trunk/MANIFEST Sat Apr  2 19:19:29 2005
@@ -60,12 +60,12 @@
 lib/Mail/SpamAssassin/PersistentAddrList.pm
 lib/Mail/SpamAssassin/Plugin.pm
 lib/Mail/SpamAssassin/Plugin/AWL.pm
+lib/Mail/SpamAssassin/Plugin/AntiVirus.pm
 lib/Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm
 lib/Mail/SpamAssassin/Plugin/DCC.pm
 lib/Mail/SpamAssassin/Plugin/DomainKeys.pm
 lib/Mail/SpamAssassin/Plugin/Hashcash.pm
 lib/Mail/SpamAssassin/Plugin/MIMEHeader.pm
-lib/Mail/SpamAssassin/Plugin/MSExec.pm
 lib/Mail/SpamAssassin/Plugin/Pyzor.pm
 lib/Mail/SpamAssassin/Plugin/Razor2.pm
 lib/Mail/SpamAssassin/Plugin/RelayCountry.pm
@@ -160,11 +160,11 @@
 rules/20_ratware.cf
 rules/20_uri_tests.cf
 rules/23_bayes.cf
+rules/25_antivirus.cf
 rules/25_body_tests_es.cf
 rules/25_dcc.cf
 rules/25_domainkeys.cf
 rules/25_hashcash.cf
-rules/25_msexec.cf
 rules/25_pyzor.cf
 rules/25_razor2.cf
 rules/25_replace.cf

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm Sat Apr  2 19:19:29 2005
@@ -2286,32 +2286,6 @@
       }
     }
   }
-
-  if ($name && $ctype ne "application/octet-stream") {
-    # MIME_SUSPECT_NAME triggered here
-    $name =~ s/.*\.//;
-    $ctype =~ s@/(x-|vnd\.)@/@;
-
-    if (((($name eq "txt") || ($name =~ /^[px]?html?$/) ||
-	  ($name eq "xml")) &&
-	 ($ctype !~
-	  m@^text/(?:plain|[px]?html?|english|sgml|xml|enriched|richtext)@) &&
-	 ($ctype !~ m@^message/external-body@)) # RFC-Editor emails...
-	|| ((($name =~ /^(?:jpe?g|tiff?)$/) || ($name eq "gif") ||
-	     ($name eq "png"))
-	    && ($ctype !~ m@^image/@)
-	    && ($ctype !~ m@^application/mac-binhex@))
-	|| ($name eq "vcf" && $ctype ne "text/vcard")
-	|| ($name =~ /^(?:bat|com|exe|pif|scr|swf|vbs)$/
-	    && $ctype !~ m@^application/@)
-	|| ($name eq "doc" && $ctype !~ m@^application/.*word$@)
-	|| ($name eq "ppt" && $ctype !~ m@^application/.*(?:powerpoint|ppt)$@)
-	|| ($name eq "xls" && $ctype !~ m@^application/.*excel$@)
-       )
-    {
-      $self->{mime_suspect_name} = 1;
-    }
-  }
 }
 
 sub _check_attachments {
@@ -2349,7 +2323,6 @@
   # $self->{mime_qp_inline_no_charset} = 0;
   $self->{mime_qp_long_line} = 0;
   $self->{mime_qp_ratio} = 0;
-  $self->{mime_suspect_name} = 0;
 
   # Get all parts ...
   foreach my $p ($self->{msg}->find_parts(qr/./)) {

Copied: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm (from r159861, spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm)
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm?view=diff&rev=159869&p1=spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm&r1=159861&p2=spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm&r2=159869
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm Sat Apr  2 19:19:29 2005
@@ -16,17 +16,19 @@
 
 =head1 NAME
 
-MSExec - determine if the message includes a Microsoft executable file
+AntiVirus - simple anti-virus tests
 
 =head1 SYNOPSIS
 
-  loadplugin     Mail::SpamAssassin::Plugin::MSExec
-  body           MICROSOFT_EXECUTABLE eval:check_microsoft_executable()
+  loadplugin     Mail::SpamAssassin::Plugin::AntiVirus
+
+  body MICROSOFT_EXECUTABLE eval:check_microsoft_executable()
+  body MIME_SUSPECT_NAME    eval:check_suspect_name()
 
 =head1 DESCRIPTION
 
-This rule works by checking for 3 possibilities in the message in any
-application/* or text/* part in the message:
+The MICROSOFT_EXECUTABLE rule works by checking for 3 possibilities in
+the message in any application/* or text/* part in the message:
 
 =over 4
 
@@ -40,9 +42,10 @@
 
 =cut
 
-package Mail::SpamAssassin::Plugin::MSExec;
+package Mail::SpamAssassin::Plugin::AntiVirus;
 
 use Mail::SpamAssassin::Plugin;
+use Mail::SpamAssassin::Util;
 use strict;
 use warnings;
 use bytes;
@@ -60,37 +63,101 @@
   my $self = $class->SUPER::new($mailsaobject);
   bless ($self, $class);
 
-  $self->register_eval_rule ("check_microsoft_executable");
+  $self->register_eval_rule("check_microsoft_executable");
+  $self->register_eval_rule("check_suspect_name");
 
   return $self;
 }
 
 sub check_microsoft_executable {
-  my ($self, $permsgstatus) = @_;
+  my ($self, $pms) = @_;
+
+  _check_attachments(@_) unless exists $pms->{antivirus_microsoft_exe};
+
+  return $pms->{antivirus_microsoft_exe};
+}
+
+sub check_suspect_name {
+  my ($self, $pms) = @_;
+
+  _check_attachments(@_) unless exists $pms->{antivirus_suspect_name};
+
+  return $pms->{antivirus_suspect_name};
+}
 
-  foreach my $p ($permsgstatus->{msg}->find_parts(qr/^(application|text)\b/)) {
+sub _check_attachments {
+  my ($self, $pms) = @_;
+
+  $pms->{antivirus_microsoft_exe} = 0;
+  $pms->{antivirus_suspect_name} = 0;
+
+  # MICROSOFT_EXECUTABLE triggered here
+  foreach my $p ($pms->{msg}->find_parts(qr/^(application|text)\b/)) {
     my ($ctype, $boundary, $charset, $name) =
       Mail::SpamAssassin::Util::parse_content_type($p->get_header('content-type'));
 
-    if (lc $ctype eq 'application/octet-stream') {
-      $name ||= '';
-      $name = lc $name;
-
-      # file extension indicates an executable ...
-      return 1 if ($name =~ /\.(?:ade|adp|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|url|vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh)$/);
-
-      # base64 attached executable ...
-      my $cte = lc $p->get_header('content-transfer-encoding') || '';
-      return 1 if ($cte =~ /base64/ && $p->raw()->[0] =~ /^TV[opqr].A..[AB].[AQgw][A-H].A/);
+    $name = lc $name || '';
+
+    my $cte = lc $p->get_header('content-transfer-encoding') || '';
+    $ctype = lc $ctype;
+
+    if ($name && $name =~ /\.(?:ade|adp|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|url|vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh)$/)
+    {
+      # file extension indicates an executable
+      $pms->{antivirus_microsoft_exe} = 1;
     }
-    elsif ($ctype =~ /^text\b/i) {
-      # uuencoded executable ...
-      foreach (@{$p->raw()}) {
-        return 1 if (/^M35[GHIJK].`..`..*````/);
+    elsif ($cte =~ /base64/ &&
+	   $p->raw()->[0] =~ /^TV[opqr].A..[AB].[AQgw][A-H].A/)
+    {
+      # base64-encoded executable
+      $pms->{antivirus_microsoft_exe} = 1;
+    }
+    elsif ($ctype =~ /^text\b/) {
+      # uuencoded executable
+      for (@{$p->raw()}) {
+	if (/^M35[GHIJK].`..`..*````/) {
+	  # uuencoded executable
+	  $pms->{antivirus_microsoft_exe} = 1;
+	}
+      }
+    }
+
+    # MIME_SUSPECT_NAME triggered here
+    if ($name && $ctype ne "application/octet-stream") {
+      $name =~ s/.*\.//;
+      $ctype =~ s@/(x-|vnd\.)@/@;
+
+      if (
+	  # text
+	  (($name =~ /^(?:txt|[px]?html?|xml)$/) &&
+	   ($ctype !~ m@^(?:text/(?:plain|[px]?html?|english|sgml|xml|enriched|richtext)|message/external-body)@)) ||
+
+	  # image
+	  (($name =~ /^(?:jpe?g|tiff?|gif|png)$/) &&
+	   ($ctype !~ m@^(?:image/|application/mac-binhex)@)) ||
+
+	  # vcard
+	  (($name eq "vcf") && $ctype ne "text/vcard") ||
+
+	  # application
+	  (($name =~ /^(?:bat|com|exe|pif|scr|swf|vbs)$/) &&
+	   ($ctype !~ m@^application/@)) ||
+
+	  # msword
+	  (($name eq "doc") && ($ctype !~ m@^application/.*word$@)) ||
+
+	  # powerpoint
+	  (($name eq "ppt") &&
+	   ($ctype !~ m@^application/.*(?:powerpoint|ppt)$@)) ||
+
+	  # excel
+	  (($name eq "xls") && ($ctype !~ m@^application/.*excel$@))
+	  )
+      {
+	$pms->{antivirus_suspect_name} = 1;
       }
     }
   }
-  return 0;
 }
 
 1;

Modified: spamassassin/trunk/rules/20_body_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_body_tests.cf?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/rules/20_body_tests.cf (original)
+++ spamassassin/trunk/rules/20_body_tests.cf Sat Apr  2 19:19:29 2005
@@ -89,12 +89,6 @@
 rawbody  MIME_QP_LONG_LINE	eval:check_for_mime('mime_qp_long_line')
 describe MIME_QP_LONG_LINE	Quoted-printable line longer than 76 chars
 
-# actually indicates viruses, typically; just used here to clean corpora.
-rawbody  MIME_SUSPECT_NAME	eval:check_for_mime('mime_suspect_name')
-describe MIME_SUSPECT_NAME	MIME filename does not match content
-# todo: better tflags category for these tests
-tflags MIME_SUSPECT_NAME userconf
-
 # note: __HIGHBITS is used by HTML_CHARSET_FARAWAY
 rawbody __MIME_CHARSET_FARAWAY	eval:check_for_mime('mime_faraway_charset')
 body __HIGHBITS			/(?:[\x80-\xff].?){4,}/

Copied: spamassassin/trunk/rules/25_antivirus.cf (from r159867, spamassassin/trunk/rules/25_msexec.cf)
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/25_antivirus.cf?view=diff&rev=159869&p1=spamassassin/trunk/rules/25_msexec.cf&r1=159867&p2=spamassassin/trunk/rules/25_antivirus.cf&r2=159869
==============================================================================
--- spamassassin/trunk/rules/25_msexec.cf (original)
+++ spamassassin/trunk/rules/25_antivirus.cf Sat Apr  2 19:19:29 2005
@@ -1,4 +1,4 @@
-# SpamAssassin - MSExec rules
+# SpamAssassin - anti-virus rules
 #
 # Please don't modify this file as your changes will be overwritten with
 # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
@@ -22,12 +22,14 @@
 #
 ###########################################################################
 
-# Requires the Mail::SpamAssassin::Plugin::MSExec plugin be loaded.
+# Requires the Mail::SpamAssassin::Plugin::AntiVirus plugin be loaded.
 
-ifplugin Mail::SpamAssassin::Plugin::MSExec
+ifplugin Mail::SpamAssassin::Plugin::AntiVirus
 
-body		MICROSOFT_EXECUTABLE	eval:check_microsoft_executable()
-describe	MICROSOFT_EXECUTABLE	Message includes Microsoft executable program
-score		MICROSOFT_EXECUTABLE	0.100
+body MICROSOFT_EXECUTABLE	eval:check_microsoft_executable()
+describe MICROSOFT_EXECUTABLE	Message includes Microsoft executable program
 
-endif   # Mail::SpamAssassin::Plugin::MSExec
+body MIME_SUSPECT_NAME		eval:check_suspect_name()
+describe MIME_SUSPECT_NAME	MIME filename does not match content
+
+endif   # Mail::SpamAssassin::Plugin::AntiVirus

Modified: spamassassin/trunk/rules/50_scores.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/50_scores.cf?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/rules/50_scores.cf (original)
+++ spamassassin/trunk/rules/50_scores.cf Sat Apr  2 19:19:29 2005
@@ -573,9 +573,6 @@
 score HTML_CHARSET_FARAWAY 0.500
 score MIME_CHARSET_FARAWAY 2.450
 
-# highly generic tests for viruses that are scored just high enough to run
-score MIME_SUSPECT_NAME 0.100
-
 # accessdb lookups
 score ACCESSDB 0
 
@@ -682,6 +679,12 @@
 score UNWANTED_LANGUAGE_BODY 2.800
 score BODY_8BITS 1.500
 endif # Mail::SpamAssassin::Plugin::TextCat
+
+# AntiVirus
+ifplugin Mail::SpamAssassin::Plugin::AntiVirus
+score MICROSOFT_EXECUTABLE 0.100
+score MIME_SUSPECT_NAME 0.100
+endif # Mail::SpamAssassin::Plugin::AntiVirus
 
 # MAPS
 # MAPS is a commercial service.  If you pay for these, assign a score

Modified: spamassassin/trunk/rules/init.pre
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/init.pre?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/rules/init.pre (original)
+++ spamassassin/trunk/rules/init.pre Sat Apr  2 19:19:29 2005
@@ -55,10 +55,10 @@
 #
 #loadplugin Mail::SpamAssassin::Plugin::DomainKeys
 
-# MSExec - do simple checks to see if the message includes a Microsoft
-# executable file
+# AntiVirus - some simple anti-virus checks, this is not a replacement
+# for an anti-virus filter like Clam AntiVirus
 #
-#loadplugin Mail::SpamAssassin::Plugin::MSExec
+#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
 
 # AWL - do auto-whitelist checks
 #