You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dr Robert Young <rc...@aliconsultants.com> on 2005/07/28 22:09:48 UTC
Trying to id spam
We had a very short spam come in (actually it had a virus attachment
named "updated-password.zip"). There is not much to grab onto
Content analysis details: (1.5 points, 5.0 required)
____
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 NO_REAL_NAME From: does not include a real name
0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME
parts
1.1 PRIORITY_NO_NAME Message has priority, but no X-Mailer/
User-Agent
0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no
X-MimeOLE
so I wonder if one can use a rule to look for the name of the
attachment in the header/body of the email to ID this (see below).
Any thoughts on how to approach? Using SA 3.0.4 with Razor2 installed.
This is a multi-part message in MIME format.
------=_NextPart_000_0005_67B7CFFA.FC0D3D0A
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
------=_NextPart_000_0005_67B7CFFA.FC0D3D0A
Content-Type: application/octet-stream;
name="updated-password.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="updated-password.zip"
Re: Trying to id spam
Posted by Loren Wilton <lw...@earthlink.net>.
> Have a virus scanner that correctly identified the email as having a
> virus attachment, but it still passed along the "cleaned" (ie the
> attachment was removed) email. I was asked if there was a way to
> "trash" the resulting "cleaned" email...
Ah! Different question! Yes, that should be possible, given that you have
the externals set up to trash over a given score. Of course, you could
maybe do this in procmail mor efficiently.
I wouldn't try looking for the executable signature. The newer virui are
smart enough to use random names, or at least multiple names. Also, the
virus scanner could have munged it.
I'd write a header rule or maybe body rule to look for whatever string it is
the virus scannner inserts when it "cleans" a virus.
Loren
Re: Trying to id spam
Posted by jdow <jd...@earthlink.net>.
Ah, but milter-spamc is not a part of SpamAssassin, either. There are
dozens of ways to do it. But if you try the wrong one for your
configuration you experience conflict hell, a state with which it
appears you are already intimately experienced with in this specific
context. Who WANTS that?
{^_^}
----- Original Message -----
From: "Dr Robert Young" <rc...@aliconsultants.com>
To: <us...@spamassassin.apache.org>
Sent: 2005 July, 29, Friday 04:19
Subject: Re: Trying to id spam
> But you can use milter-spamc to direct all identified "spam" to an
> acct such as spam@trash.com, and then simply 'dump' the acct's email
> periodically. Hence the inquiry ....
>
>
> On Jul 28, 2005, at 8:14 PM, jdow wrote:
>
> > Please check with the ClamAV people. There is absolutely no way to get
> > SpamAssassin to delete emails or even drop them.
> > {^_^}
> > ----- Original Message -----
> > From: "Dr Robert Young" <rc...@aliconsultants.com>
> >
> >
> >
> >> Have a virus scanner that correctly identified the email as having a
> >> virus attachment, but it still passed along the "cleaned" (ie the
> >> attachment was removed) email. I was asked if there was a way to
> >> "trash" the resulting "cleaned" email...
> >>
> >>
> >> On Jul 28, 2005, at 4:13 PM, Rick Macdougall wrote:
> >>
> >>
> >>> Dr Robert Young wrote:
> >>>
> >>>
> >>>
> >>>> We had a very short spam come in (actually it had a virus
> >>>> attachment named "updated-password.zip"). There is not much to
> >>>> grab onto
> >>>>
> >>>> Content analysis details: (1.5 points, 5.0 required)
> >>>> ____
> >>>> pts rule name description
> >>>> ---- ----------------------
> >>>> --------------------------------------------------
> >>>> 0.0 NO_REAL_NAME From: does not include a real name
> >>>> 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
> >>>> 0.0 HTML_MESSAGE BODY: HTML included in message
> >>>> 0.2 MIME_HTML_ONLY BODY: Message only has text/html
> >>>> MIME parts
> >>>> 1.1 PRIORITY_NO_NAME Message has priority, but no X-
> >>>> Mailer/ User-Agent
> >>>> 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but
> >>>> no X-MimeOLE
> >>>>
> >>>> so I wonder if one can use a rule to look for the name of the
> >>>> attachment in the header/body of the email to ID this (see
> >>>> below). Any thoughts on how to approach? Using SA 3.0.4 with
> >>>> Razor2 installed.
> >>>>
> >>>>
> >>>
> >>> How about running a virus scanner like clamav ?
> >>>
> >>> Regards,
> >>>
> >>> Rick
> >>>
> >>>
> >>>
> >
> >
Re: Trying to id spam
Posted by JamesDR <ja...@trusswood.net>.
Dr Robert Young wrote:
> But you can use milter-spamc to direct all identified "spam" to an acct
> such as spam@trash.com, and then simply 'dump' the acct's email
> periodically. Hence the inquiry ....
>
>
> On Jul 28, 2005, at 8:14 PM, jdow wrote:
>
>> Please check with the ClamAV people. There is absolutely no way to get
>> SpamAssassin to delete emails or even drop them.
>> {^_^}
>> ----- Original Message -----
>> From: "Dr Robert Young" <rc...@aliconsultants.com>
>>
>>
>>
>>> Have a virus scanner that correctly identified the email as having a
>>> virus attachment, but it still passed along the "cleaned" (ie the
>>> attachment was removed) email. I was asked if there was a way to
>>> "trash" the resulting "cleaned" email...
>>>
>>>
>>> On Jul 28, 2005, at 4:13 PM, Rick Macdougall wrote:
>>>
>>>
>>>> Dr Robert Young wrote:
>>>>
>>>>
>>>>
>>>>> We had a very short spam come in (actually it had a virus
>>>>> attachment named "updated-password.zip"). There is not much to
>>>>> grab onto
>>>>>
>>>>> Content analysis details: (1.5 points, 5.0 required)
>>>>> ____
>>>>> pts rule name description
>>>>> ---- ----------------------
>>>>> --------------------------------------------------
>>>>> 0.0 NO_REAL_NAME From: does not include a real name
>>>>> 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
>>>>> 0.0 HTML_MESSAGE BODY: HTML included in message
>>>>> 0.2 MIME_HTML_ONLY BODY: Message only has text/html
>>>>> MIME parts
>>>>> 1.1 PRIORITY_NO_NAME Message has priority, but no X-
>>>>> Mailer/ User-Agent
>>>>> 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but
>>>>> no X-MimeOLE
>>>>>
>>>>> so I wonder if one can use a rule to look for the name of the
>>>>> attachment in the header/body of the email to ID this (see
>>>>> below). Any thoughts on how to approach? Using SA 3.0.4 with
>>>>> Razor2 installed.
>>>>>
>>>>>
>>>>
>>>> How about running a virus scanner like clamav ?
>>>>
>>>> Regards,
>>>>
>>>> Rick
>>>>
>>>>
>>>>
>>
>>
>
>
>
You'd be much better off with clamav... It uses less resources than
SpamAssassin to detect viruses, and is better at it. Right tool, right job.
--
Thanks,
James
Re: Trying to id spam
Posted by Dr Robert Young <rc...@aliconsultants.com>.
But you can use milter-spamc to direct all identified "spam" to an
acct such as spam@trash.com, and then simply 'dump' the acct's email
periodically. Hence the inquiry ....
On Jul 28, 2005, at 8:14 PM, jdow wrote:
> Please check with the ClamAV people. There is absolutely no way to get
> SpamAssassin to delete emails or even drop them.
> {^_^}
> ----- Original Message -----
> From: "Dr Robert Young" <rc...@aliconsultants.com>
>
>
>
>> Have a virus scanner that correctly identified the email as having a
>> virus attachment, but it still passed along the "cleaned" (ie the
>> attachment was removed) email. I was asked if there was a way to
>> "trash" the resulting "cleaned" email...
>>
>>
>> On Jul 28, 2005, at 4:13 PM, Rick Macdougall wrote:
>>
>>
>>> Dr Robert Young wrote:
>>>
>>>
>>>
>>>> We had a very short spam come in (actually it had a virus
>>>> attachment named "updated-password.zip"). There is not much to
>>>> grab onto
>>>>
>>>> Content analysis details: (1.5 points, 5.0 required)
>>>> ____
>>>> pts rule name description
>>>> ---- ----------------------
>>>> --------------------------------------------------
>>>> 0.0 NO_REAL_NAME From: does not include a real name
>>>> 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
>>>> 0.0 HTML_MESSAGE BODY: HTML included in message
>>>> 0.2 MIME_HTML_ONLY BODY: Message only has text/html
>>>> MIME parts
>>>> 1.1 PRIORITY_NO_NAME Message has priority, but no X-
>>>> Mailer/ User-Agent
>>>> 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but
>>>> no X-MimeOLE
>>>>
>>>> so I wonder if one can use a rule to look for the name of the
>>>> attachment in the header/body of the email to ID this (see
>>>> below). Any thoughts on how to approach? Using SA 3.0.4 with
>>>> Razor2 installed.
>>>>
>>>>
>>>
>>> How about running a virus scanner like clamav ?
>>>
>>> Regards,
>>>
>>> Rick
>>>
>>>
>>>
>
>
Re: Trying to id spam
Posted by jdow <jd...@earthlink.net>.
Please check with the ClamAV people. There is absolutely no way to get
SpamAssassin to delete emails or even drop them.
{^_^}
----- Original Message -----
From: "Dr Robert Young" <rc...@aliconsultants.com>
> Have a virus scanner that correctly identified the email as having a
> virus attachment, but it still passed along the "cleaned" (ie the
> attachment was removed) email. I was asked if there was a way to
> "trash" the resulting "cleaned" email...
>
>
> On Jul 28, 2005, at 4:13 PM, Rick Macdougall wrote:
>
> > Dr Robert Young wrote:
> >
> >
> >> We had a very short spam come in (actually it had a virus
> >> attachment named "updated-password.zip"). There is not much to
> >> grab onto
> >>
> >> Content analysis details: (1.5 points, 5.0 required)
> >> ____
> >> pts rule name description
> >> ---- ----------------------
> >> --------------------------------------------------
> >> 0.0 NO_REAL_NAME From: does not include a real name
> >> 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
> >> 0.0 HTML_MESSAGE BODY: HTML included in message
> >> 0.2 MIME_HTML_ONLY BODY: Message only has text/html
> >> MIME parts
> >> 1.1 PRIORITY_NO_NAME Message has priority, but no X-
> >> Mailer/ User-Agent
> >> 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but
> >> no X-MimeOLE
> >>
> >> so I wonder if one can use a rule to look for the name of the
> >> attachment in the header/body of the email to ID this (see
> >> below). Any thoughts on how to approach? Using SA 3.0.4 with
> >> Razor2 installed.
> >>
> >
> > How about running a virus scanner like clamav ?
> >
> > Regards,
> >
> > Rick
> >
> >
Re: Trying to id spam
Posted by Jim Maul <jm...@elih.org>.
Andy Jezierski wrote:
>
> Dr Robert Young <rc...@aliconsultants.com> wrote on 07/28/2005
> 07:06:35 PM:
>
> > Have a virus scanner that correctly identified the email as having a
> > virus attachment, but it still passed along the "cleaned" (ie the
> > attachment was removed) email. I was asked if there was a way to
> > "trash" the resulting "cleaned" email...
> >
>
> Check your virus scanner docs, it should be able to do it. Just set it
> up to delete the message rather than clean it. My Clamav setup, dumps
> any message that has a virus in it. Never even gets to SA.
>
> Andy
There is little benefit to "cleaning" messages these days anyway.
You're better off just dumping them entirely.
-Jim
Re: Trying to id spam
Posted by Andy Jezierski <aj...@stepan.com>.
Dr Robert Young <rc...@aliconsultants.com> wrote on 07/28/2005 07:06:35
PM:
> Have a virus scanner that correctly identified the email as having a
> virus attachment, but it still passed along the "cleaned" (ie the
> attachment was removed) email. I was asked if there was a way to
> "trash" the resulting "cleaned" email...
>
Check your virus scanner docs, it should be able to do it. Just set it up
to delete the message rather than clean it. My Clamav setup, dumps any
message that has a virus in it. Never even gets to SA.
Andy
Re: Trying to id spam
Posted by Dr Robert Young <rc...@aliconsultants.com>.
Have a virus scanner that correctly identified the email as having a
virus attachment, but it still passed along the "cleaned" (ie the
attachment was removed) email. I was asked if there was a way to
"trash" the resulting "cleaned" email...
On Jul 28, 2005, at 4:13 PM, Rick Macdougall wrote:
> Dr Robert Young wrote:
>
>
>> We had a very short spam come in (actually it had a virus
>> attachment named "updated-password.zip"). There is not much to
>> grab onto
>>
>> Content analysis details: (1.5 points, 5.0 required)
>> ____
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 0.0 NO_REAL_NAME From: does not include a real name
>> 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
>> 0.0 HTML_MESSAGE BODY: HTML included in message
>> 0.2 MIME_HTML_ONLY BODY: Message only has text/html
>> MIME parts
>> 1.1 PRIORITY_NO_NAME Message has priority, but no X-
>> Mailer/ User-Agent
>> 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but
>> no X-MimeOLE
>>
>> so I wonder if one can use a rule to look for the name of the
>> attachment in the header/body of the email to ID this (see
>> below). Any thoughts on how to approach? Using SA 3.0.4 with
>> Razor2 installed.
>>
>
> How about running a virus scanner like clamav ?
>
> Regards,
>
> Rick
>
>
RE: Trying to id spam
Posted by Herb Martin <He...@learnquick.com>.
> -----Original Message-----
> From: David B Funk [mailto:dbfunk@engineering.uiowa.edu]
> Sent: Thursday, July 28, 2005 6:15 PM
> To: users@spamassassin.apache.org
> Subject: Re: Trying to id spam
>
> On Thu, 28 Jul 2005, Rick Macdougall wrote:
>
> > Dr Robert Young wrote:
> >
> > > We had a very short spam come in (actually it had a virus
> attachment
> > > named "updated-password.zip"). There is not much to grab onto
> [snip..]
> > > attachment in the header/body of the email to ID this (see below).
> > > Any thoughts on how to approach? Using SA 3.0.4 with
> Razor2 installed.
> >
> > How about running a virus scanner like clamav ?
>
> ClamAV (and other virus scanners) work great for fully formed
> viri but fail totally in the case of still-born (partial) viri.
> It's not unusual to see messages sent by brain-damaged viri
> that are incomplete or totally lacking in payload. ClamAV
> will not block them as they don't fully match any signatures
> but they're still an annoyance to people eventho harmless.
Oddly enough, ClamAV also stops many Phish mails; even though
they are not technically virus this seems a nice addition.
Re: Trying to id spam
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Thu, 28 Jul 2005, Rick Macdougall wrote:
> Dr Robert Young wrote:
>
> > We had a very short spam come in (actually it had a virus attachment
> > named "updated-password.zip"). There is not much to grab onto
[snip..]
> > attachment in the header/body of the email to ID this (see below).
> > Any thoughts on how to approach? Using SA 3.0.4 with Razor2 installed.
>
> How about running a virus scanner like clamav ?
ClamAV (and other virus scanners) work great for fully formed viri
but fail totally in the case of still-born (partial) viri.
It's not unusual to see messages sent by brain-damaged viri that
are incomplete or totally lacking in payload. ClamAV will not block
them as they don't fully match any signatures but they're still an
annoyance to people eventho harmless.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Trying to id spam
Posted by Rick Macdougall <ri...@nougen.com>.
Dr Robert Young wrote:
> We had a very short spam come in (actually it had a virus attachment
> named "updated-password.zip"). There is not much to grab onto
>
> Content analysis details: (1.5 points, 5.0 required)
> ____
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.0 NO_REAL_NAME From: does not include a real name
> 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME
> parts
> 1.1 PRIORITY_NO_NAME Message has priority, but no X-Mailer/
> User-Agent
> 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no
> X-MimeOLE
>
> so I wonder if one can use a rule to look for the name of the
> attachment in the header/body of the email to ID this (see below).
> Any thoughts on how to approach? Using SA 3.0.4 with Razor2 installed.
How about running a virus scanner like clamav ?
Regards,
Rick
RE: Trying to id spam
Posted by Herb Martin <He...@learnquick.com>.
From: Andy Jezierski [mailto:ajezierski@stepan.com]
Dr Robert Young <rc...@aliconsultants.com> wrote on 07/28/2005 03:09:48
PM:
>> We had a very short spam come in (actually it had a virus attachment
>> named "updated-password.zip"). There is not much to grab onto
>>
[snip]
>Don't use SA for trapping viruses, get a virus scanner. ClamAV comes to
mind.
I am not as adamant as Andy but generally agree -- there is nothing really
"wrong" with SA if it works for this BUT it is likely using a saw when you
need a drill or some such analogy. <grin>
ClamAV (free for both Linux-Posix or Windows) and the ALMOST free
FProtect are good choices for Virus scanning.
Many email servers have there own rules but mostly these are good for
just stopping the .exe, .cmd, .pif, .scr, etc (I have a long list if anyone
needs it.)
For that great variety of virus Zip names the best method seems to be the
virus scanner AND this lets you still send legitimate zip files if you wish
without having to block them all.
For the purely executable extensions I do block them since Outlook and
Outlook Express generally do that anyway they are pretty worthless to
our users -- better to just force everyone to compress or zip if they
have a legitimate reason to send executables.
Herb Martin
HerbM@LearnQuick.Com http://LearnQuick.Com <http://learnquick.com/>
Accelerated MCSE in a Week Seminars
_____
Sent: Thursday, July 28, 2005 3:13 PM
To: users@spamassassin.apache.org
Subject: Re: Trying to id spam
Andy
Re: Trying to id spam
Posted by Andy Jezierski <aj...@stepan.com>.
Dr Robert Young <rc...@aliconsultants.com> wrote on 07/28/2005 03:09:48
PM:
> We had a very short spam come in (actually it had a virus attachment
> named "updated-password.zip"). There is not much to grab onto
>
[snip]
Don't use SA for trapping viruses, get a virus scanner. ClamAV comes to
mind.
Andy