You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dave Koontz <dk...@mbc.edu> on 2008/02/23 15:52:07 UTC
Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URL Dangerous URL
score Dangerous_URL 7.5
Thanks in advance!
RE: Please help with rule
Posted by Dave Koontz <dk...@mbc.edu>.
Thanks all for the info, the uri check is much better.
Joseph you were absolutely correct about it catching too wide. I modified
it to pattern check the end only and it now works a treat!
uri DANGEROUS_URL /\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i
describe DANGEROUS_URL URL contains executable content
score DANGEROUS_URL 7.5
Joseph Brennan Wrote:
--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz <dk...@mbc.edu>
wrote:
> I am still getting some Storm Worm messages that are not being caught,
> even with Sane Security / ClamAV. I thought I'd write a rule to score
> any URL that has a dot exe, scr or pif extension. However, my rule is
> not working. Can someone help advise what is wrong? I want it to pickup
> any http or https with those extensions.
>
>
> body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
uri Dangerous_URL /http.{1,200}\.(?:exe|scr|pif)/i
I think 'body' excludes html code. You could use 'rawbody' but normally
one uses 'uri' to get links.
More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters. Loren Wilton suggested leaving out
the 'http.{1,200}'.
Note, this would match things like www.scratchy.tld unless you narrow
it further. Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.
Re: Please help with rule
Posted by Joseph Brennan <br...@columbia.edu>.
--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz <dk...@mbc.edu>
wrote:
> I am still getting some Storm Worm messages that are not being caught,
> even with Sane Security / ClamAV. I thought I'd write a rule to score
> any URL that has a dot exe, scr or pif extension. However, my rule is
> not working. Can someone help advise what is wrong? I want it to pickup
> any http or https with those extensions.
>
>
> body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
uri Dangerous_URL /http.{1,200}\.(?:exe|scr|pif)/i
I think 'body' excludes html code. You could use 'rawbody' but normally
one uses 'uri' to get links.
More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters. Loren Wilton suggested leaving out
the 'http.{1,200}'.
Note, this would match things like www.scratchy.tld unless you narrow
it further. Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.
Joseph Brennan
Columbia University Information Technology
RE: Please help with rule
Posted by Michael Hutchinson <mh...@manux.co.nz>.
> -----Original Message-----
> From: Dave Koontz [mailto:dkoontz@mbc.edu]
> Sent: Sunday, 24 February 2008 5:09 p.m.
> To: users@spamassassin.apache.org
> Subject: Please help with rule
>
> I am still getting some Storm Worm messages that are not being caught,
> even with Sane Security / ClamAV. I thought I'd write a rule to score
> any URL that has a dot exe, scr or pif extension. However, my rule is
> not working. Can someone help advise what is wrong? I want it to
> pickup any http or https with those extensions.
>
>
> body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
> describe Dangerous_URL Dangerous URL
> score Dangerous_URL 7.5
>
> Thanks in advance!
I don't know if its standard practise on the list, but I do my
attachment filtering with Simscan, not Spamassassin, using
"/var/qmail/control/simcontrol" where config reads:
postmaster@ourdomain.nz:clam=yes,spam=no
postmaster@ourtrusteddomain.nz:clam=yes,spam=no
:clam=yes,spam=yes,spam_hits=20,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif
The first two lines mean that for the two domains listed, there will be
no spam checking (Spamassassin), and there will be antivirus scanning
(clamav).
The last line is global configuration, so for every other site,
antivirus checking, and spamassasssin checking are switched on, plus we
block the listed attachments outright.
Sorry if you don't run Simscan, just thought I'd post my $0.2
Cheers,
Michael Hutchinson
Please help with rule
Posted by Dave Koontz <dk...@mbc.edu>.
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URL Dangerous URL
score Dangerous_URL 7.5
Thanks in advance!
Re: Please help with rule
Posted by Loren Wilton <lw...@earthlink.net>.
Untested, but try
uri EXECUTABLE_WEBSITE /\.(?:exe|scr|pif)$/i
Loren
----- Original Message -----
From: "Dave Koontz" <dk...@mbc.edu>
To: <us...@spamassassin.apache.org>
Sent: Saturday, February 23, 2008 6:52 AM
Subject: Please help with rule
>I am still getting some Storm Worm messages that are not being caught,
> even with Sane Security / ClamAV. I thought I'd write a rule to score
> any URL that has a dot exe, scr or pif extension. However, my rule is
> not working. Can someone help advise what is wrong? I want it to
> pickup any http or https with those extensions.
>
> body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
> describe Dangerous_URL Dangerous URL
> score Dangerous_URL 7.5
>
> Thanks in advance!
>
Re: Please help with rule
Posted by Benny Pedersen <me...@junc.org>.
On Sat, February 23, 2008 15:52, Dave Koontz wrote:
> I am still getting some Storm Worm messages that are not being caught,
> even with Sane Security / ClamAV. I thought I'd write a rule to score
> any URL that has a dot exe, scr or pif extension. However, my rule is
> not working. Can someone help advise what is wrong? I want it to
> pickup any http or https with those extensions.
>
> body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
> describe Dangerous_URL Dangerous URL
> score Dangerous_URL 7.5
have you tested if the antivirus plugin caught it ?
below here is what i have in postfix mime_header_checks
/filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\"?$/
REJECT For security reasons we reject attachments of this type
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(cpl|lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?\s*$/
REJECT Attachment type not allowed. File "$2" has the unacceptable extension
"$3"
take care of line wraps