You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ben Wylie <sa...@benwylie.co.uk> on 2005/06/05 18:59:55 UTC
Block empty zip files
I get quite a lot of empty zip files, I presume from viruses having failed
to place themselves in them.
They always look like:
UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==
in base64.
Do others get these emails?
Could someone advice me as to what kind of rule I could write to block
these?
I presume a body rule with:
body EMPTY_ZIP /UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==/i
wouldn't work as it is in a separate mime part, or would it?
Thanks
Ben
Re: Block empty zip files
Posted by Loren Wilton <lw...@earthlink.net>.
> it, but I was wondering what test could check for
> UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA== in a mime part
Ah. Tricky. That has the disadvantage of being a non-text mime part, so SA
tends to throw them in the trash. Nothing will find it on 2.6x, other than
perhaps a modification of the MICROSOFT_EXECUTABLE eval.
I'm not positive on 3.0, but *possibly* a full-body rule would catch it,
thusly:
full LW_SMALL_ZIP /^UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==$/
score LW_SMALL_ZIP whatever
describe LW_SMALL_ZIP Small zip file, probably deleted virus
Loren
BTW, I bet that a rule like this would catch a whole lot of virui and phish:
body LW_SUSPENDED /account has been suspended/
score LW_SUSPENDED 1
describe LW_SUSPENDED Typical phish/virus phrase.
Re: Block empty zip files
Posted by jdow <jd...@earthlink.net>.
From: "Ben Wylie" <sa...@benwylie.co.uk>
> > Get Tim Jackson's bogus virus bounce ruleset.
>
> I've just added that ruleset but it didn't help as far as I can see.
> I have two custom rules which hit the text in the email, and spf also
caught
> it, but I was wondering what test could check for
> UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA== in a mime part
full JD_INVALID_ZIP /UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==/s
describe JD_INVALID_ZIP Invalid - empty - zip file.
score JD_INVALID_ZIP 0.1
I don't know if that will trigger on ALL zips or not.
{^_^}
RE: Block empty zip files
Posted by Ben Wylie <sa...@benwylie.co.uk>.
> Get Tim Jackson's bogus virus bounce ruleset.
I've just added that ruleset but it didn't help as far as I can see.
I have two custom rules which hit the text in the email, and spf also caught
it, but I was wondering what test could check for
UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA== in a mime part
Here is the full email:
Received: from [127.0.0.1] by arkbb.co.uk with SMTP (HELO server.)
(ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.7.9)); Sun,
5 Jun 2005 20:01:25 +0100
Received: from a.mx.bluesine.com ([66.18.211.109])
by server. (NAVGW 2.5.2.12) with SMTP id M2005060520012009891
for <em...@mydomain.tld>; Sun, 05 Jun 2005 20:01:20 +0100
Received: (qmail 31692 invoked from network); 5 Jun 2005 18:56:46 -0000
Received: from r2.soplicowo.net (HELO arkbb.co.uk) (195.205.119.242)
by a.mx.bluesine.com with SMTP; 5 Jun 2005 18:56:46 -0000
From: fake@mydomain.tld
To: email@mydomain.tld
Subject: *DETECTED* Online User Violation
Date: Sun, 5 Jun 2005 20:57:16 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0014_1ED76C19.07657A59"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <fa...@mydomain.tld>
X-Envelope-From: fake@mydomain.tld
X-Envelope-To: email@mydomain.tld
Message-ID: <gh...@mydomain.tld>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on server
X-Spam-Level: ********
X-Spam-Hammy: 0.006-892--2043h-32s--0d--H*F:D*arkbb.co.uk,
0.009-41--94h-2s--0d--H*p:D*arkbb.co.uk
X-Spam-Status: Yes, score=8.3 required=2.4 bayes=0.5004 tests=BAYES_50,
MISSING_MIMEOLE,NO_REAL_NAME,POLICY_VIOLATION,PRIORITY_NO_NAME,
SECONDARYMX,SPF_HELO_SOFTFAIL,SUSPENDED_ACCOUNT autolearn=disabled
version=3.0.3
X-Spam-Spammy: 0.999-5--0h-55s--0d--H*RT:sk:a.mx.bl,
0.999-5--0h-55s--0d--H*RT:66.18.211.109
X-Spam-Report:
* 1.0 SECONDARYMX SECONDARYMX
* 0.0 NO_REAL_NAME From: does not include a real name
* 3.1 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record
(softfail)
* [SPF failed: Please see
http://spf.pobox.com/why.html?sender=arkbb.co.uk&ip=195.205.119.242&receiver
=server]
* 1.5 SUSPENDED_ACCOUNT BODY: SUSPENDED_ACCOUNT
* 1.5 POLICY_VIOLATION BODY: POLICY_VIOLATION
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5004]
* 1.1 PRIORITY_NO_NAME Message has priority, but no
X-Mailer/User-Agent
* 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no
X-MimeOLE
This is a multi-part message in MIME format.
------=_NextPart_000_0014_1ED76C19.07657A59
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
We regret to inform you that your account has been suspended due to the
violation of our site policy, more info is attached.
------=_NextPart_000_0014_1ED76C19.07657A59
Content-Type: application/octet-stream;
name="instructions.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="instructions.zip"
UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==
------=_NextPart_000_0014_1ED76C19.07657A59--
Re: Block empty zip files
Posted by Loren Wilton <lw...@earthlink.net>.
Get Tim Jackson's bogus virus bounce ruleset.
Loren