You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ben Wylie <sa...@benwylie.co.uk> on 2005/06/05 18:59:55 UTC

Block empty zip files

I get quite a lot of empty zip files, I presume from viruses having failed
to place themselves in them.

They always look like:

UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==
in base64.

Do others get these emails?
Could someone advice me as to what kind of rule I could write to block
these?

I presume a body rule with:

body EMPTY_ZIP		/UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==/i
wouldn't work as it is in a separate mime part, or would it?

Thanks
Ben

Re: Block empty zip files

Posted by Loren Wilton <lw...@earthlink.net>.

> it, but I was wondering what test could check for
> UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA== in a mime part

Ah.  Tricky.  That has the disadvantage of being a non-text mime part, so SA
tends to throw them in the trash.  Nothing will find it on 2.6x, other than
perhaps a modification of the MICROSOFT_EXECUTABLE eval.

I'm not positive on 3.0, but *possibly* a full-body rule would catch it,
thusly:

full LW_SMALL_ZIP /^UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==$/
score LW_SMALL_ZIP whatever
describe LW_SMALL_ZIP Small zip file, probably deleted virus

        Loren

BTW, I bet that a rule like this would catch a whole lot of virui and phish:

body    LW_SUSPENDED    /account has been suspended/
score    LW_SUSPENDED    1
describe LW_SUSPENDED    Typical phish/virus phrase.

Re: Block empty zip files

Posted by jdow <jd...@earthlink.net>.

From: "Ben Wylie" <sa...@benwylie.co.uk>

> > Get Tim Jackson's bogus virus bounce ruleset.
>
> I've just added that ruleset but it didn't help as far as I can see.
> I have two custom rules which hit the text in the email, and spf also
caught
> it, but I was wondering what test could check for
> UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA== in a mime part

full    JD_INVALID_ZIP  /UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==/s
describe JD_INVALID_ZIP Invalid - empty - zip file.
score JD_INVALID_ZIP    0.1

I don't know if that will trigger on ALL zips or not.
{^_^}

RE: Block empty zip files

Posted by Ben Wylie <sa...@benwylie.co.uk>.

> Get Tim Jackson's bogus virus bounce ruleset.

I've just added that ruleset but it didn't help as far as I can see.
I have two custom rules which hit the text in the email, and spf also caught
it, but I was wondering what test could check for 
UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA== in a mime part

Here is the full email:


Received: from  [127.0.0.1] by arkbb.co.uk with SMTP (HELO server.)
  (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.7.9)); Sun,
5 Jun 2005 20:01:25 +0100
Received: from a.mx.bluesine.com ([66.18.211.109])
 by server. (NAVGW 2.5.2.12) with SMTP id M2005060520012009891
 for <em...@mydomain.tld>; Sun, 05 Jun 2005 20:01:20 +0100
Received: (qmail 31692 invoked from network); 5 Jun 2005 18:56:46 -0000
Received: from r2.soplicowo.net (HELO arkbb.co.uk) (195.205.119.242)
  by a.mx.bluesine.com with SMTP; 5 Jun 2005 18:56:46 -0000
From: fake@mydomain.tld
To: email@mydomain.tld 
Subject: *DETECTED* Online User Violation
Date: Sun, 5 Jun 2005 20:57:16 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0014_1ED76C19.07657A59"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <fa...@mydomain.tld>
X-Envelope-From: fake@mydomain.tld
X-Envelope-To: email@mydomain.tld 
Message-ID: <gh...@mydomain.tld>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on server
X-Spam-Level: ********
X-Spam-Hammy: 0.006-892--2043h-32s--0d--H*F:D*arkbb.co.uk, 
	0.009-41--94h-2s--0d--H*p:D*arkbb.co.uk
X-Spam-Status: Yes, score=8.3 required=2.4 bayes=0.5004 tests=BAYES_50,
	MISSING_MIMEOLE,NO_REAL_NAME,POLICY_VIOLATION,PRIORITY_NO_NAME,
	SECONDARYMX,SPF_HELO_SOFTFAIL,SUSPENDED_ACCOUNT autolearn=disabled 
	version=3.0.3
X-Spam-Spammy: 0.999-5--0h-55s--0d--H*RT:sk:a.mx.bl, 
	0.999-5--0h-55s--0d--H*RT:66.18.211.109
X-Spam-Report: 
	*  1.0 SECONDARYMX SECONDARYMX
	*  0.0 NO_REAL_NAME From: does not include a real name
	*  3.1 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record
(softfail)
	*      [SPF failed: Please see
http://spf.pobox.com/why.html?sender=arkbb.co.uk&ip=195.205.119.242&receiver
=server]
	*  1.5 SUSPENDED_ACCOUNT BODY: SUSPENDED_ACCOUNT
	*  1.5 POLICY_VIOLATION BODY: POLICY_VIOLATION
	*  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
	*      [score: 0.5004]
	*  1.1 PRIORITY_NO_NAME Message has priority, but no
X-Mailer/User-Agent
	*  0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no
X-MimeOLE

This is a multi-part message in MIME format.

------=_NextPart_000_0014_1ED76C19.07657A59
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit

We regret to inform you that your account has been suspended due to the
violation of our site policy, more info is attached.


------=_NextPart_000_0014_1ED76C19.07657A59
Content-Type: application/octet-stream;
	name="instructions.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="instructions.zip"

UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==
------=_NextPart_000_0014_1ED76C19.07657A59--

Re: Block empty zip files

Posted by Loren Wilton <lw...@earthlink.net>.

Get Tim Jackson's bogus virus bounce ruleset.

        Loren