You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by qu...@apache.org on 2005/04/03 05:19:30 UTC
svn commit: r159869 - in spamassassin/trunk: MANIFEST
lib/Mail/SpamAssassin/EvalTests.pm lib/Mail/SpamAssassin/Plugin/AntiVirus.pm
lib/Mail/SpamAssassin/Plugin/MSExec.pm rules/20_body_tests.cf
rules/25_antivirus.cf rules/25_msexec.cf rules/50_scores.cf rules/init.pre
Author: quinlan
Date: Sat Apr 2 19:19:29 2005
New Revision: 159869
URL: http://svn.apache.org/viewcvs?view=rev&rev=159869
Log:
generalize MSExec plugin to be an AntiVirus plugin
bug 2417: move MIME_SUSPECT_NAME to AntiVirus plugin
Added:
spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm
- copied, changed from r159861, spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm
spamassassin/trunk/rules/25_antivirus.cf
- copied, changed from r159867, spamassassin/trunk/rules/25_msexec.cf
Removed:
spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm
spamassassin/trunk/rules/25_msexec.cf
Modified:
spamassassin/trunk/MANIFEST
spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm
spamassassin/trunk/rules/20_body_tests.cf
spamassassin/trunk/rules/50_scores.cf
spamassassin/trunk/rules/init.pre
Modified: spamassassin/trunk/MANIFEST
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/MANIFEST?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/MANIFEST (original)
+++ spamassassin/trunk/MANIFEST Sat Apr 2 19:19:29 2005
@@ -60,12 +60,12 @@
lib/Mail/SpamAssassin/PersistentAddrList.pm
lib/Mail/SpamAssassin/Plugin.pm
lib/Mail/SpamAssassin/Plugin/AWL.pm
+lib/Mail/SpamAssassin/Plugin/AntiVirus.pm
lib/Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm
lib/Mail/SpamAssassin/Plugin/DCC.pm
lib/Mail/SpamAssassin/Plugin/DomainKeys.pm
lib/Mail/SpamAssassin/Plugin/Hashcash.pm
lib/Mail/SpamAssassin/Plugin/MIMEHeader.pm
-lib/Mail/SpamAssassin/Plugin/MSExec.pm
lib/Mail/SpamAssassin/Plugin/Pyzor.pm
lib/Mail/SpamAssassin/Plugin/Razor2.pm
lib/Mail/SpamAssassin/Plugin/RelayCountry.pm
@@ -160,11 +160,11 @@
rules/20_ratware.cf
rules/20_uri_tests.cf
rules/23_bayes.cf
+rules/25_antivirus.cf
rules/25_body_tests_es.cf
rules/25_dcc.cf
rules/25_domainkeys.cf
rules/25_hashcash.cf
-rules/25_msexec.cf
rules/25_pyzor.cf
rules/25_razor2.cf
rules/25_replace.cf
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/EvalTests.pm Sat Apr 2 19:19:29 2005
@@ -2286,32 +2286,6 @@
}
}
}
-
- if ($name && $ctype ne "application/octet-stream") {
- # MIME_SUSPECT_NAME triggered here
- $name =~ s/.*\.//;
- $ctype =~ s@/(x-|vnd\.)@/@;
-
- if (((($name eq "txt") || ($name =~ /^[px]?html?$/) ||
- ($name eq "xml")) &&
- ($ctype !~
- m@^text/(?:plain|[px]?html?|english|sgml|xml|enriched|richtext)@) &&
- ($ctype !~ m@^message/external-body@)) # RFC-Editor emails...
- || ((($name =~ /^(?:jpe?g|tiff?)$/) || ($name eq "gif") ||
- ($name eq "png"))
- && ($ctype !~ m@^image/@)
- && ($ctype !~ m@^application/mac-binhex@))
- || ($name eq "vcf" && $ctype ne "text/vcard")
- || ($name =~ /^(?:bat|com|exe|pif|scr|swf|vbs)$/
- && $ctype !~ m@^application/@)
- || ($name eq "doc" && $ctype !~ m@^application/.*word$@)
- || ($name eq "ppt" && $ctype !~ m@^application/.*(?:powerpoint|ppt)$@)
- || ($name eq "xls" && $ctype !~ m@^application/.*excel$@)
- )
- {
- $self->{mime_suspect_name} = 1;
- }
- }
}
sub _check_attachments {
@@ -2349,7 +2323,6 @@
# $self->{mime_qp_inline_no_charset} = 0;
$self->{mime_qp_long_line} = 0;
$self->{mime_qp_ratio} = 0;
- $self->{mime_suspect_name} = 0;
# Get all parts ...
foreach my $p ($self->{msg}->find_parts(qr/./)) {
Copied: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm (from r159861, spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm)
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm?view=diff&rev=159869&p1=spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm&r1=159861&p2=spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm&r2=159869
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/MSExec.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm Sat Apr 2 19:19:29 2005
@@ -16,17 +16,19 @@
=head1 NAME
-MSExec - determine if the message includes a Microsoft executable file
+AntiVirus - simple anti-virus tests
=head1 SYNOPSIS
- loadplugin Mail::SpamAssassin::Plugin::MSExec
- body MICROSOFT_EXECUTABLE eval:check_microsoft_executable()
+ loadplugin Mail::SpamAssassin::Plugin::AntiVirus
+
+ body MICROSOFT_EXECUTABLE eval:check_microsoft_executable()
+ body MIME_SUSPECT_NAME eval:check_suspect_name()
=head1 DESCRIPTION
-This rule works by checking for 3 possibilities in the message in any
-application/* or text/* part in the message:
+The MICROSOFT_EXECUTABLE rule works by checking for 3 possibilities in
+the message in any application/* or text/* part in the message:
=over 4
@@ -40,9 +42,10 @@
=cut
-package Mail::SpamAssassin::Plugin::MSExec;
+package Mail::SpamAssassin::Plugin::AntiVirus;
use Mail::SpamAssassin::Plugin;
+use Mail::SpamAssassin::Util;
use strict;
use warnings;
use bytes;
@@ -60,37 +63,101 @@
my $self = $class->SUPER::new($mailsaobject);
bless ($self, $class);
- $self->register_eval_rule ("check_microsoft_executable");
+ $self->register_eval_rule("check_microsoft_executable");
+ $self->register_eval_rule("check_suspect_name");
return $self;
}
sub check_microsoft_executable {
- my ($self, $permsgstatus) = @_;
+ my ($self, $pms) = @_;
+
+ _check_attachments(@_) unless exists $pms->{antivirus_microsoft_exe};
+
+ return $pms->{antivirus_microsoft_exe};
+}
+
+sub check_suspect_name {
+ my ($self, $pms) = @_;
+
+ _check_attachments(@_) unless exists $pms->{antivirus_suspect_name};
+
+ return $pms->{antivirus_suspect_name};
+}
- foreach my $p ($permsgstatus->{msg}->find_parts(qr/^(application|text)\b/)) {
+sub _check_attachments {
+ my ($self, $pms) = @_;
+
+ $pms->{antivirus_microsoft_exe} = 0;
+ $pms->{antivirus_suspect_name} = 0;
+
+ # MICROSOFT_EXECUTABLE triggered here
+ foreach my $p ($pms->{msg}->find_parts(qr/^(application|text)\b/)) {
my ($ctype, $boundary, $charset, $name) =
Mail::SpamAssassin::Util::parse_content_type($p->get_header('content-type'));
- if (lc $ctype eq 'application/octet-stream') {
- $name ||= '';
- $name = lc $name;
-
- # file extension indicates an executable ...
- return 1 if ($name =~ /\.(?:ade|adp|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|url|vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh)$/);
-
- # base64 attached executable ...
- my $cte = lc $p->get_header('content-transfer-encoding') || '';
- return 1 if ($cte =~ /base64/ && $p->raw()->[0] =~ /^TV[opqr].A..[AB].[AQgw][A-H].A/);
+ $name = lc $name || '';
+
+ my $cte = lc $p->get_header('content-transfer-encoding') || '';
+ $ctype = lc $ctype;
+
+ if ($name && $name =~ /\.(?:ade|adp|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|url|vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh)$/)
+ {
+ # file extension indicates an executable
+ $pms->{antivirus_microsoft_exe} = 1;
}
- elsif ($ctype =~ /^text\b/i) {
- # uuencoded executable ...
- foreach (@{$p->raw()}) {
- return 1 if (/^M35[GHIJK].`..`..*````/);
+ elsif ($cte =~ /base64/ &&
+ $p->raw()->[0] =~ /^TV[opqr].A..[AB].[AQgw][A-H].A/)
+ {
+ # base64-encoded executable
+ $pms->{antivirus_microsoft_exe} = 1;
+ }
+ elsif ($ctype =~ /^text\b/) {
+ # uuencoded executable
+ for (@{$p->raw()}) {
+ if (/^M35[GHIJK].`..`..*````/) {
+ # uuencoded executable
+ $pms->{antivirus_microsoft_exe} = 1;
+ }
+ }
+ }
+
+ # MIME_SUSPECT_NAME triggered here
+ if ($name && $ctype ne "application/octet-stream") {
+ $name =~ s/.*\.//;
+ $ctype =~ s@/(x-|vnd\.)@/@;
+
+ if (
+ # text
+ (($name =~ /^(?:txt|[px]?html?|xml)$/) &&
+ ($ctype !~ m@^(?:text/(?:plain|[px]?html?|english|sgml|xml|enriched|richtext)|message/external-body)@)) ||
+
+ # image
+ (($name =~ /^(?:jpe?g|tiff?|gif|png)$/) &&
+ ($ctype !~ m@^(?:image/|application/mac-binhex)@)) ||
+
+ # vcard
+ (($name eq "vcf") && $ctype ne "text/vcard") ||
+
+ # application
+ (($name =~ /^(?:bat|com|exe|pif|scr|swf|vbs)$/) &&
+ ($ctype !~ m@^application/@)) ||
+
+ # msword
+ (($name eq "doc") && ($ctype !~ m@^application/.*word$@)) ||
+
+ # powerpoint
+ (($name eq "ppt") &&
+ ($ctype !~ m@^application/.*(?:powerpoint|ppt)$@)) ||
+
+ # excel
+ (($name eq "xls") && ($ctype !~ m@^application/.*excel$@))
+ )
+ {
+ $pms->{antivirus_suspect_name} = 1;
}
}
}
- return 0;
}
1;
Modified: spamassassin/trunk/rules/20_body_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_body_tests.cf?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/rules/20_body_tests.cf (original)
+++ spamassassin/trunk/rules/20_body_tests.cf Sat Apr 2 19:19:29 2005
@@ -89,12 +89,6 @@
rawbody MIME_QP_LONG_LINE eval:check_for_mime('mime_qp_long_line')
describe MIME_QP_LONG_LINE Quoted-printable line longer than 76 chars
-# actually indicates viruses, typically; just used here to clean corpora.
-rawbody MIME_SUSPECT_NAME eval:check_for_mime('mime_suspect_name')
-describe MIME_SUSPECT_NAME MIME filename does not match content
-# todo: better tflags category for these tests
-tflags MIME_SUSPECT_NAME userconf
-
# note: __HIGHBITS is used by HTML_CHARSET_FARAWAY
rawbody __MIME_CHARSET_FARAWAY eval:check_for_mime('mime_faraway_charset')
body __HIGHBITS /(?:[\x80-\xff].?){4,}/
Copied: spamassassin/trunk/rules/25_antivirus.cf (from r159867, spamassassin/trunk/rules/25_msexec.cf)
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/25_antivirus.cf?view=diff&rev=159869&p1=spamassassin/trunk/rules/25_msexec.cf&r1=159867&p2=spamassassin/trunk/rules/25_antivirus.cf&r2=159869
==============================================================================
--- spamassassin/trunk/rules/25_msexec.cf (original)
+++ spamassassin/trunk/rules/25_antivirus.cf Sat Apr 2 19:19:29 2005
@@ -1,4 +1,4 @@
-# SpamAssassin - MSExec rules
+# SpamAssassin - anti-virus rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
@@ -22,12 +22,14 @@
#
###########################################################################
-# Requires the Mail::SpamAssassin::Plugin::MSExec plugin be loaded.
+# Requires the Mail::SpamAssassin::Plugin::AntiVirus plugin be loaded.
-ifplugin Mail::SpamAssassin::Plugin::MSExec
+ifplugin Mail::SpamAssassin::Plugin::AntiVirus
-body MICROSOFT_EXECUTABLE eval:check_microsoft_executable()
-describe MICROSOFT_EXECUTABLE Message includes Microsoft executable program
-score MICROSOFT_EXECUTABLE 0.100
+body MICROSOFT_EXECUTABLE eval:check_microsoft_executable()
+describe MICROSOFT_EXECUTABLE Message includes Microsoft executable program
-endif # Mail::SpamAssassin::Plugin::MSExec
+body MIME_SUSPECT_NAME eval:check_suspect_name()
+describe MIME_SUSPECT_NAME MIME filename does not match content
+
+endif # Mail::SpamAssassin::Plugin::AntiVirus
Modified: spamassassin/trunk/rules/50_scores.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/50_scores.cf?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/rules/50_scores.cf (original)
+++ spamassassin/trunk/rules/50_scores.cf Sat Apr 2 19:19:29 2005
@@ -573,9 +573,6 @@
score HTML_CHARSET_FARAWAY 0.500
score MIME_CHARSET_FARAWAY 2.450
-# highly generic tests for viruses that are scored just high enough to run
-score MIME_SUSPECT_NAME 0.100
-
# accessdb lookups
score ACCESSDB 0
@@ -682,6 +679,12 @@
score UNWANTED_LANGUAGE_BODY 2.800
score BODY_8BITS 1.500
endif # Mail::SpamAssassin::Plugin::TextCat
+
+# AntiVirus
+ifplugin Mail::SpamAssassin::Plugin::AntiVirus
+score MICROSOFT_EXECUTABLE 0.100
+score MIME_SUSPECT_NAME 0.100
+endif # Mail::SpamAssassin::Plugin::AntiVirus
# MAPS
# MAPS is a commercial service. If you pay for these, assign a score
Modified: spamassassin/trunk/rules/init.pre
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/init.pre?view=diff&r1=159868&r2=159869
==============================================================================
--- spamassassin/trunk/rules/init.pre (original)
+++ spamassassin/trunk/rules/init.pre Sat Apr 2 19:19:29 2005
@@ -55,10 +55,10 @@
#
#loadplugin Mail::SpamAssassin::Plugin::DomainKeys
-# MSExec - do simple checks to see if the message includes a Microsoft
-# executable file
+# AntiVirus - some simple anti-virus checks, this is not a replacement
+# for an anti-virus filter like Clam AntiVirus
#
-#loadplugin Mail::SpamAssassin::Plugin::MSExec
+#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
# AWL - do auto-whitelist checks
#