You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Monnerie <mi...@it-management.at> on 2006/06/17 18:05:43 UTC
full rule required, or is there something better?
Hello list, today I had a forged ebay e-mail containing an attachment
with a trojan. I would like to filter for the attachment name, is that
possible without a "full" rule?
full ZMIde_EBAYBILL1 /name="Ebay-Rechnung.pdf.zip"/
describe ZMIde_EBAYBILL1 false ebay bill .zip file
score ZMIde_EBAYBILL1 4.9
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0660/4156531 .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE
Re: full rule required, or is there something better?
Posted by Michael Monnerie <mi...@it-management.at>.
On Sonntag, 18. Juni 2006 04:31 Theo Van Dinter wrote:
> Sure. Use the MIMEHeader plugin. (you can even check out the other
> attachment name-related rules that exist... ;) )
Thank you, good hint!
> (full rules -- boo!)
Yes I know, I read this, that's why I asked. Now I want to
have the same rule for all people, whether or not they
have the MIMEHeader plugin. There seems to be no
"else" for the "ifplugin" construct, so I made another
"ifplugin !..." - is that correct? I don't get lint errors at least:
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ZMIde_EBAYBILL1 Content-Type =~ /name="Ebay-Rechnung.pdf.zip"/
mimeheader __ZMIde_EBAYBILL2 Content-Disposition =~ /name="Ebay-Rechnung.pdf.zip"/
meta ZMIde_EBAYBILL1 (__ZMIde_EBAYBILL1 + __ZMIde_EBAYBILL2) >= 1
describe ZMIde_EBAYBILL1 false ebay bill .zip file
score ZMIde_EBAYBILL1 4.9
endif
ifplugin ! Mail::SpamAssassin::Plugin::MIMEHeader
full ZMIde_EBAYBILL1 /name="Ebay-Rechnung.pdf.zip"/
describe ZMIde_EBAYBILL1 false ebay bill .zip file
score ZMIde_EBAYBILL1 4.9
endif
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0660/4156531 .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE
Re: full rule required, or is there something better?
Posted by Theo Van Dinter <fe...@apache.org>.
On Sat, Jun 17, 2006 at 06:05:43PM +0200, Michael Monnerie wrote:
> Hello list, today I had a forged ebay e-mail containing an attachment
> with a trojan. I would like to filter for the attachment name, is that
> possible without a "full" rule?
Sure. Use the MIMEHeader plugin. (you can even check out the other
attachment name-related rules that exist... ;) )
(full rules -- boo!)
--
Randomly Generated Tagline:
"There is hopeful symbolism in the fact that flags do not wave in a
vacuum." - Arthur C. Clarke
Re: full rule required, or is there something better?
Posted by "John D. Hardin" <jh...@impsec.org>.
On Sat, 17 Jun 2006, Michael Monnerie wrote:
> On Samstag, 17. Juni 2006 18:55 John D. Hardin wrote:
> > <plug>
> > http://www.impsec.org/email-tools/procmail-security.html
> > </plug>
>
> OK, sorry, my fault. I didn't say "I wanna do it in SA". If
> there's some attachment with a certain name, it should get points
> in SA.
Well, it's reasonable to assume that. However, SA is not a security
tool, and trying to force it to be one is probably a bad idea.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Insofar as the police deter by their presence, they are very, very
good. Criminals take great pains not to commit a crime in front of
them. -- Jeffrey Snyder
-----------------------------------------------------------------------
Tomorrow: SWMBO's Birthday
Re: full rule required, or is there something better?
Posted by Michael Monnerie <mi...@it-management.at>.
On Samstag, 17. Juni 2006 18:55 John D. Hardin wrote:
> <plug>
> http://www.impsec.org/email-tools/procmail-security.html
> </plug>
OK, sorry, my fault. I didn't say "I wanna do it in SA". If there's some
attachment with a certain name, it should get points in SA.
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0660/4156531 .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE
Re: full rule required, or is there something better?
Posted by "John D. Hardin" <jh...@impsec.org>.
On Sat, 17 Jun 2006, Michael Monnerie wrote:
> Hello list, today I had a forged ebay e-mail containing an attachment
> with a trojan. I would like to filter for the attachment name, is that
> possible without a "full" rule?
>
> full ZMIde_EBAYBILL1 /name="Ebay-Rechnung.pdf.zip"/
> describe ZMIde_EBAYBILL1 false ebay bill .zip file
> score ZMIde_EBAYBILL1 4.9
<plug>
http://www.impsec.org/email-tools/procmail-security.html
</plug>
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
What nuts do with guns is terrible, certainly. But what evil or crazy
people do with *anything* is not a valid argument for banning that item.
-- John C. Randolph <jc...@idiom.com>
-----------------------------------------------------------------------
Tomorrow: SWMBO's Birthday