You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Nicholson <ro...@elastica.com> on 2006/08/13 21:53:41 UTC
Fwd: Report
Why isn't
score MICROSOFT_EXECUTABLE 20
bumping the score up on these mails that have .exe attachments?
Begin forwarded message:
> From: "Microsoft Internet Message Delivery System" <po...@yahoo.net>
> Date: August 13, 2006 2:41:15 PM CDT
> To: "Network Client" <re...@mxserver.com>
> Subject: Report
> X-Spam-Dcc: : grub.camros.com 1113; Body=1 Fuz1=1
> X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
> grub.camros.com
> X-Spam-Status: No, score=0.0 required=0.6
> tests=BAYES_50,HTML_MESSAGE, MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI
> autolearn=ham version=3.1.1
> Received: (qmail 386 invoked from network); 13 Aug 2006 19:41:10 -0000
> Received: from smtp-2.orange.nl (193.252.22.242) by 64.34.193.12
> with SMTP; 13 Aug 2006 19:41:10 -0000
> Received: from jbqw (p0615.nas3-asd6.dial.wanadoo.nl
> [62.234.218.107]) by mwinf6104.orange.nl (SMTP Server) with SMTP id
> 11FDB1C00088; Sun, 13 Aug 2006 21:41:15 +0200 (CEST)
> X-Me-Uuid: 20060813194117737.11FDB1C00088@mwinf6104.orange.nl
> Mime-Version: 1.0
> Content-Type: multipart/alternative; boundary="ssyybkmmzsq"
> Message-Id: <20...@mwinf6104.orange.nl>
> X-Accept-Flag: Sender is Unknown
> Lines: 2387
>
>
Re: LOG: Re: Report
Posted by Robert Nicholson <ro...@elastica.com>.
Do I have to specifically enable that plugin? I have that installed.
On Aug 13, 2006, at 3:22 PM, Michele Neylon :: Blacknight.ie wrote:
> Accepting to folder lists/unix/spamassassin-users
>
>
>
> From: "Michele Neylon :: Blacknight.ie" <mi...@blacknight.ie>
> Date: August 13, 2006 3:22:04 PM CDT
> To: Robert Nicholson <ro...@elastica.com>,
> users@spamassassin.apache.org
> Subject: Re: Report
>
>
> Robert Nicholson wrote:
>> Are you saying that 25_antivirus.cf doesn't have
>> MICROSOFT_EXECUTABLE in
>> 3.11?
>>
>
> That requires an extra plugin from what I can see:
>
> # Requires the Mail::SpamAssassin::Plugin::AntiVirus plugin be loaded.
>
>
>
> --
> Mr Michele Neylon
> Blacknight Solutions
> Quality Business Hosting & Colocation
> http://www.blacknight.ie/
> Tel. 1850 927 280
> Intl. +353 (0) 59 9183072
> Direct Dial: +353 (0)59 9183090
> Fax. +353 (0) 59 9164239
>
>
Re: Report
Posted by "Michele Neylon :: Blacknight.ie" <mi...@blacknight.ie>.
Robert Nicholson wrote:
> Are you saying that 25_antivirus.cf doesn't have MICROSOFT_EXECUTABLE in
> 3.11?
>
That requires an extra plugin from what I can see:
# Requires the Mail::SpamAssassin::Plugin::AntiVirus plugin be loaded.
--
Mr Michele Neylon
Blacknight Solutions
Quality Business Hosting & Colocation
http://www.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 59 9164239
Re: Report
Posted by Loren Wilton <lw...@earthlink.net>.
> 2. the check isn't thorough enough because it doesn't consider
> other content-types whereby people hide executable attachments.
Suggestion: you know the line in the plugin that is only checking the two
content types. You know the other content types you want to check.
Change the line in the plugin source, restart SA, and be done with it.
If you want to avoid having to do the same thing in a future release, you
can also submit a bug report in Bugzilla.
Loren
Re: Report
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 14 Aug 2006, Robert Nicholson wrote:
> You are failing to understand my point.
>
> To me any message that has a .exe attachment is spam.
I understand you completely. You have internalized "bad email ==
spam". There are more nuances than that - bulk unsolicited commercial
solicitations and email worms are different abuses of the email
system, and the approaches to dealing with them properly and reliably
are different enough that it's better to use separate tools to do so.
> That's just how I work because I'm on a Mac therefore I'd like to
> use check_microsoft_executable who's job it is to bump up the
> score if there's an executable attachment. The problem right now
> is that
>
> 1. this check is handled by the antivirus plugin. it probably
> shouldn't be as bumping the score because there's an attachment has
> nothing do to with anti-virus checking.
>
> 2. the check isn't thorough enough because it doesn't consider
> other content-types whereby people hide executable attachments.
*that* is the problem. Expecting SA to verify the MIME type of an
attachment that is NOT used for delivering a commercial solicitation
dilutes its focus on effectively filtering commercial solicitations.
It's as wrong as trying to make an email virus filter try to behave as
though unsolicited bulk emails were viruses.
> Therefore. I don't care whether SA is an anti-virus tool or not
> it's completely irrelevant to me.
That's the view I would expect of an end user, not an administrator.
Granted you've never claimed that you are an administrator.
I hope that I've not offended you, I'm just trying to suggest that
there are better and more appropriate alternatives to achieve what you
seek.
> >> SPAM is not always the same for everybody.
> >
> > Sure it is. Spam (please don't capitalize the entire word - Hormel
> > gets annoyed) is Unsolicited Bulk Email.
> >
> >> In my case anything with .exe is SPAM because nobody will send me
> >> a .exe
> >
> > Calling a worm "spam" does not make it spam.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad. -- James Madison, 1799
-----------------------------------------------------------------------
Re: Report
Posted by Robert Nicholson <ro...@elastica.com>.
You are failing to understand my point.
To me any message that has a .exe attachment is spam. That's just how
I work because I'm on a Mac therefore I'd like to use
check_microsoft_executable who's job it is to bump up the score if
there's an executable attachment. The problem right now is that
1. this check is handled by the antivirus plugin. it probably
shouldn't be as bumping the score because there's an attachment has
nothing do to with anti-virus checking.
2. the check isn't thorough enough because it doesn't consider
other content-types whereby people hide executable attachments.
...
Therefore. I don't care whether SA is an anti-virus tool or not it's
completely irrelevant to me.
On Aug 14, 2006, at 4:41 PM, John D. Hardin wrote:
> On Mon, 14 Aug 2006 robert@elastica.com wrote:
>
>> So in summary...
>>
>> SPAM is not always the same for everybody.
>
> Sure it is. Spam (please don't capitalize the entire word - Hormel
> gets annoyed) is Unsolicited Bulk Email.
>
>> In my case anything with .exe is SPAM because nobody will send me
>> a .exe
>
> Calling a worm "spam" does not make it spam.
>
> If I'm being too much of a pedantic purist, just let me know... :)
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> ----------------------------------------------------------------------
> -
> Windows and its users got mentioned at home today, after my wife the
> psych major brought up Seligman's theory of "learned helplessness."
> -- Dan Birchall in a.s.r
> ----------------------------------------------------------------------
> -
>
Re: Report
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 14 Aug 2006 robert@elastica.com wrote:
> So in summary...
>
> SPAM is not always the same for everybody.
Sure it is. Spam (please don't capitalize the entire word - Hormel
gets annoyed) is Unsolicited Bulk Email.
> In my case anything with .exe is SPAM because nobody will send me a .exe
Calling a worm "spam" does not make it spam.
If I'm being too much of a pedantic purist, just let me know... :)
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows and its users got mentioned at home today, after my wife the
psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
-----------------------------------------------------------------------
Re: Report
Posted by ro...@elastica.com.
So in summary...
SPAM is not always the same for everybody.
In my case anything with .exe is SPAM because nobody will send me a .exe
So I want the ability to make use of SA's configurability to learn what is SPAM
for me.
I don't call that a virus checker.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Re: Report
Posted by ro...@elastica.com.
I really don't understand why you bring this up.
I do not want SA to check the .exe. I just want the rule to fire
so that it goes over my SPAM threshold when an .exe is attached.
right now the rule does not fire unless the attachment had a correspondily
correct content-type. In my case it does not because the spammer has disguised
it. I will never run an .exe on my mac so I just want the mail to be treated as
SPAM when it has a .exe attachment not only when it has an .exe attachment with
the correct content type.
Quoting "John D. Hardin" <jh...@impsec.org>:
> On Mon, 14 Aug 2006, Robert Nicholson wrote:
>
> > Any plans to change this? It's obviously an area where the spammer
> > has found a way to work around the rule.
>
> SA is not an antivirus tool, and an attached executable is not spam,
> it is a security attack.
>
> If you're not willing to run a traditional virus scanner, may I
> suggest this as an alternative for attachment policy enforcement:
>
> http://www.impsec.org/email-tools/procmail-security.html
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Windows and its users got mentioned at home today, after my wife the
> psych major brought up Seligman's theory of "learned helplessness."
> -- Dan Birchall in a.s.r
> -----------------------------------------------------------------------
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Re: Report
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, Aug 14, 2006 at 01:59:59PM -0500, robert@elastica.com wrote:
> therefore I'm loading the antivirus plugin in order to make use of
> check_microsoft_executable rule. However that rule doesn't fire
> if the attacker is disguising the .exe with a non sensical content type
> primarily because the code currently assumes it wouldn't happen.
Yes, that does get skipped by MICROSOFT_EXECUTABLE, which looks for only
an application or text part as documented in the plugin. Feel free to
open a bugzilla ticket and include a sample message (attached to the
ticket, not cut/paste), though I'm not sure what our plans are for the
AntiVirus plugin (split off as extra, etc?) so the ticket may or may
not get addressed in the near future.
--
Randomly Generated Tagline:
"I don't like rap because I'm stuffy and british." - James Burke
Re: Report
Posted by Beast <be...@ldap.or.id>.
robert@elastica.com wrote:
> I don't understand your point.
>
> I run a Mac. I don't care for _any_ .exes period.
>
You could use your MTA to do a light content filtering, so it will
reject mail with .exe atachment at MTA level.
Try postfix.
--beast
Re: Report
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 14 Aug 2006 robert@elastica.com wrote:
> I don't understand your point.
Spamassassin is a tool to determine the spamminess of a message, not
to check whether attachments to that message pose security risks.
> I run a Mac. I don't care for _any_ .exes period.
Fine. Your site email policy, then, is "no emails with executable
attachments will be accepted". This is the default policy of the
sanitizer. Take a look at the link.
> therefore I'm loading the antivirus plugin in order to make use of
> check_microsoft_executable rule. However that rule doesn't fire
> if the attacker is disguising the .exe with a non sensical content type
> primarily because the code currently assumes it wouldn't happen.
That's a very heavyweight solution to "I don't want any .exes at all".
> Q. Why do you keep talking about Spam Assassin not being an anti
> virus tool... I never said it was I'm simply enabling the plugin
> to get the rule to fire.
I follow the UNIX philosophy: write a small tool that does one job and
does it extremely well, and chain it with other similar tools. Adding
antivirus and other security-related processing to SA dilutes its
effectiveness and distracts the developers from making it the best
anti-bulk-unsolicited-email tool around.
I'd rather have SA be the best antispam tool available anywhere than a
swiss army knife that does many things and none of them well.
> Quoting "John D. Hardin" <jh...@impsec.org>:
>
> > SA is not an antivirus tool, and an attached executable is not spam,
> > it is a security attack.
> >
> > If you're not willing to run a traditional virus scanner, may I
> > suggest this as an alternative for attachment policy enforcement:
> >
> > http://www.impsec.org/email-tools/procmail-security.html
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows and its users got mentioned at home today, after my wife the
psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
-----------------------------------------------------------------------
Re: Report
Posted by ro...@elastica.com.
I don't understand your point.
I run a Mac. I don't care for _any_ .exes period.
therefore I'm loading the antivirus plugin in order to make use of
check_microsoft_executable rule. However that rule doesn't fire
if the attacker is disguising the .exe with a non sensical content type
primarily because the code currently assumes it wouldn't happen.
Q. Why do you keep talking about Spam Assassin not being an anti virus
tool... I never said it was I'm simply enabling the plugin to get the rule
to fire.
Quoting "John D. Hardin" <jh...@impsec.org>:
> On Mon, 14 Aug 2006, Robert Nicholson wrote:
>
> > Any plans to change this? It's obviously an area where the spammer
> > has found a way to work around the rule.
>
> SA is not an antivirus tool, and an attached executable is not spam,
> it is a security attack.
>
> If you're not willing to run a traditional virus scanner, may I
> suggest this as an alternative for attachment policy enforcement:
>
> http://www.impsec.org/email-tools/procmail-security.html
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Windows and its users got mentioned at home today, after my wife the
> psych major brought up Seligman's theory of "learned helplessness."
> -- Dan Birchall in a.s.r
> -----------------------------------------------------------------------
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Re: Report
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 14 Aug 2006, Robert Nicholson wrote:
> Any plans to change this? It's obviously an area where the spammer
> has found a way to work around the rule.
SA is not an antivirus tool, and an attached executable is not spam,
it is a security attack.
If you're not willing to run a traditional virus scanner, may I
suggest this as an alternative for attachment policy enforcement:
http://www.impsec.org/email-tools/procmail-security.html
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows and its users got mentioned at home today, after my wife the
psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
-----------------------------------------------------------------------
Re: Report
Posted by Robert Nicholson <ro...@elastica.com>.
This is why the rule doesn't trigger
I see ... so the reason this gets thru is the following.
foreach my $p ($pms->{msg}->find_parts(qr/^(application|text)\b/)) {
... just looking for application|text is being too kind
that needs to be more broad in this case.
I'd be for checking any attachment kind when looking for anything
"executable"
....
Any plans to change this? It's obviously an area where the spammer
has found a way to work around the rule.
On Aug 13, 2006, at 9:52 PM, Robert Nicholson wrote:
> Could it be because the use the following Content Type?
>
> Content-Type: audio/x-wav; name="hwrs.exe"
>
> disguising a .exe as a wav?
>
> On Aug 13, 2006, at 5:17 PM, jdow wrote:
>
>> SpamAssassin is not an anti-virus tool.
>> {^_^}
>> ----- Original Message ----- From: "Robert Nicholson"
>> <ro...@elastica.com>
>>
>>> Are you saying that 25_antivirus.cf doesn't have
>>> MICROSOFT_EXECUTABLE in 3.11?
>>> On Aug 13, 2006, at 3:10 PM, Loren Wilton wrote:
>>>> Because MICROSOFT_EXECUTABLE didn't hit on that message?
>>>>
>>>> Because MICROSOFT_EXECUTABLE was a 2.x rule that was deleted in
>>>> 3.0 and you are runing 3.1.1?
>>
Re: Report
Posted by Robert Nicholson <ro...@elastica.com>.
Could it be because the use the following Content Type?
Content-Type: audio/x-wav; name="hwrs.exe"
disguising a .exe as a wav?
On Aug 13, 2006, at 5:17 PM, jdow wrote:
> SpamAssassin is not an anti-virus tool.
> {^_^}
> ----- Original Message ----- From: "Robert Nicholson"
> <ro...@elastica.com>
>
>> Are you saying that 25_antivirus.cf doesn't have
>> MICROSOFT_EXECUTABLE in 3.11?
>> On Aug 13, 2006, at 3:10 PM, Loren Wilton wrote:
>>> Because MICROSOFT_EXECUTABLE didn't hit on that message?
>>>
>>> Because MICROSOFT_EXECUTABLE was a 2.x rule that was deleted in
>>> 3.0 and you are runing 3.1.1?
>
Re: Report
Posted by jdow <jd...@earthlink.net>.
SpamAssassin is not an anti-virus tool.
{^_^}
----- Original Message -----
From: "Robert Nicholson" <ro...@elastica.com>
> Are you saying that 25_antivirus.cf doesn't have MICROSOFT_EXECUTABLE
> in 3.11?
>
> On Aug 13, 2006, at 3:10 PM, Loren Wilton wrote:
>
>> Because MICROSOFT_EXECUTABLE didn't hit on that message?
>>
>> Because MICROSOFT_EXECUTABLE was a 2.x rule that was deleted in 3.0
>> and you are runing 3.1.1?
Re: Report
Posted by Robert Nicholson <ro...@elastica.com>.
Are you saying that 25_antivirus.cf doesn't have MICROSOFT_EXECUTABLE
in 3.11?
On Aug 13, 2006, at 3:10 PM, Loren Wilton wrote:
> Because MICROSOFT_EXECUTABLE didn't hit on that message?
>
> Because MICROSOFT_EXECUTABLE was a 2.x rule that was deleted in 3.0
> and you are runing 3.1.1?
>
> Loren
> ----- Original Message -----
> From: Robert Nicholson
> To: users@spamassassin.apache.org
> Sent: Sunday, August 13, 2006 12:53 PM
> Subject: Fwd: Report
>
> Why isn't
>
> score MICROSOFT_EXECUTABLE 20
>
> bumping the score up on these mails that have .exe attachments?
>
>
> Begin forwarded message:
>
>> From: "Microsoft Internet Message Delivery System"
>> <po...@yahoo.net>
>> Date: August 13, 2006 2:41:15 PM CDT
>> To: "Network Client" <re...@mxserver.com>
>> Subject: Report
>> X-Spam-Dcc: : grub.camros.com 1113; Body=1 Fuz1=1
>> X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
>> grub.camros.com
>> X-Spam-Status: No, score=0.0 required=0.6
>> tests=BAYES_50,HTML_MESSAGE, MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI
>> autolearn=ham version=3.1.1
>> Received: (qmail 386 invoked from network); 13 Aug 2006 19:41:10
>> -0000
>> Received: from smtp-2.orange.nl (193.252.22.242) by 64.34.193.12
>> with SMTP; 13 Aug 2006 19:41:10 -0000
>> Received: from jbqw (p0615.nas3-asd6.dial.wanadoo.nl
>> [62.234.218.107]) by mwinf6104.orange.nl (SMTP Server) with SMTP
>> id 11FDB1C00088; Sun, 13 Aug 2006 21:41:15 +0200 (CEST)
>> X-Me-Uuid: 20060813194117737.11FDB1C00088@mwinf6104.orange.nl
>> Mime-Version: 1.0
>> Content-Type: multipart/alternative; boundary="ssyybkmmzsq"
>> Message-Id: <20...@mwinf6104.orange.nl>
>> X-Accept-Flag: Sender is Unknown
>> Lines: 2387
>>
>>
>
>
Re: Report
Posted by Loren Wilton <lw...@earthlink.net>.
Because MICROSOFT_EXECUTABLE didn't hit on that message?
Because MICROSOFT_EXECUTABLE was a 2.x rule that was deleted in 3.0 and you are runing 3.1.1?
Loren
----- Original Message -----
From: Robert Nicholson
To: users@spamassassin.apache.org
Sent: Sunday, August 13, 2006 12:53 PM
Subject: Fwd: Report
Why isn't
score MICROSOFT_EXECUTABLE 20
bumping the score up on these mails that have .exe attachments?
Begin forwarded message:
From: "Microsoft Internet Message Delivery System" <po...@yahoo.net>
Date: August 13, 2006 2:41:15 PM CDT
To: "Network Client" <re...@mxserver.com>
Subject: Report
X-Spam-Dcc: : grub.camros.com 1113; Body=1 Fuz1=1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on grub.camros.com
X-Spam-Status: No, score=0.0 required=0.6 tests=BAYES_50,HTML_MESSAGE, MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI autolearn=ham version=3.1.1
Received: (qmail 386 invoked from network); 13 Aug 2006 19:41:10 -0000
Received: from smtp-2.orange.nl (193.252.22.242) by 64.34.193.12 with SMTP; 13 Aug 2006 19:41:10 -0000
Received: from jbqw (p0615.nas3-asd6.dial.wanadoo.nl [62.234.218.107]) by mwinf6104.orange.nl (SMTP Server) with SMTP id 11FDB1C00088; Sun, 13 Aug 2006 21:41:15 +0200 (CEST)
X-Me-Uuid: 20060813194117737.11FDB1C00088@mwinf6104.orange.nl
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="ssyybkmmzsq"
Message-Id: <20...@mwinf6104.orange.nl>
X-Accept-Flag: Sender is Unknown
Lines: 2387