You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rob Blomquist <ro...@verizon.net> on 2004/09/09 07:07:53 UTC
Catching Windows executables as attachments
I have currently tuned my SARE spam filters, and am humming right along, I get
one or 2 uncaught spams a day which is no big deal. But I would like to catch
the virus emails that have Win exe, scr, bat, and the like for attachments,
but I can't find a rule for them.
Is there one? How can I catch them otherwise?
Rob
--
Linux Desktop user since 2000,
Home networker since shortly after.
Linux User #183693
http://counter.li.org/
Re: Catching Windows executables as attachments
Posted by jdow <jd...@earthlink.net>.
Rob, I use procmail here and use a procmail recipe to tag the EXE
such files. It's easier there than in SpamAssassin. I use the
"nkvir" scripts to some good effect.
(Of course, Earthlink recently got "angry" with all the Sober nonsense
and turned on everybody's SpamBlocker. My first reaction was annoyance.
Then I decided to let it keep filtering them and simply take the
results and mark THAT as spam. (One very easy test.) I still get my
running statistics; and, I get another serious level of protection. I
wish all ISPs would do something like this on general principles.)
{^_^}
----- Original Message -----
From: <ro...@elastica.com>
> As I'm on a mac there's a lot of file types I don't care about so I just
have
> perl scripts that go thru the mail using MIME::Entity etc and remove them.
>
> I based my code of some code Randall Schwartz wrote once to remove the
annoying
> WINMAIL.DAT attachments etc.
>
> Quoting Rob Blomquist <ro...@verizon.net>:
>
> > I have currently tuned my SARE spam filters, and am humming right along,
I
> > get
> > one or 2 uncaught spams a day which is no big deal. But I would like to
catch
> >
> > the virus emails that have Win exe, scr, bat, and the like for
attachments,
> > but I can't find a rule for them.
> >
> > Is there one? How can I catch them otherwise?
> >
> > Rob
> > --
> >
> > Linux Desktop user since 2000,
> > Home networker since shortly after.
> >
> > Linux User #183693
> > http://counter.li.org/
Re: Catching Windows executables as attachments
Posted by ro...@elastica.com.
As I'm on a mac there's a lot of file types I don't care about so I just have
perl scripts that go thru the mail using MIME::Entity etc and remove them.
I based my code of some code Randall Schwartz wrote once to remove the annoying
WINMAIL.DAT attachments etc.
Quoting Rob Blomquist <ro...@verizon.net>:
> I have currently tuned my SARE spam filters, and am humming right along, I
> get
> one or 2 uncaught spams a day which is no big deal. But I would like to catch
>
> the virus emails that have Win exe, scr, bat, and the like for attachments,
> but I can't find a rule for them.
>
> Is there one? How can I catch them otherwise?
>
> Rob
> --
>
> Linux Desktop user since 2000,
> Home networker since shortly after.
>
> Linux User #183693
> http://counter.li.org/
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Re: Catching Windows executables as attachments
Posted by Michael W Cocke <co...@catherders.com>.
On Wed, 8 Sep 2004 22:07:53 -0700, you wrote:
>I have currently tuned my SARE spam filters, and am humming right along, I get
>one or 2 uncaught spams a day which is no big deal. But I would like to catch
>the virus emails that have Win exe, scr, bat, and the like for attachments,
>but I can't find a rule for them.
>
>Is there one? How can I catch them otherwise?
>
>Rob
Rob, I don't pretend this is the best way to solve your problem (what
you ideally want to do is look at amavisd-new), but assuming you have
a good reason for doing it this way, here's a half-assed approach.
Below are uuencoded translations for a few common windows executable
markers. Set up rules looking for them and any others you can find.
This program cannot be run in DOS mode
VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU
This program must be run under Win32
VGhpcyBwcm9ncmFtIG11c3QgYmUgcnVuIHVuZGVyIFdpbjMy
Good luck!
Mike-
--
If you can keep your head while those around you are losing theirs...
You may have a great career as a network administrator ahead!
--
Please note - Due to the intense volume of spam, we have installed
site-wide spam filters at catherders.com. If email from you bounces,
try non-HTML, non-encoded, non-attachments,
Re: Catching Windows executables as attachments
Posted by "Jack L. Stone" <ja...@sage-american.com>.
At 09:33 AM 9.9.2004 -0400, Theo Van Dinter wrote:
>On Wed, Sep 08, 2004 at 10:49:09PM -0700, Loren Wilton wrote:
>> However, it has been removed from 3.0. And while I agree with removing
>> binary attachments before scanning in SA, I consider that removing the
>> mime-part header that contained the type and name is a mistake. There have
>> been any number of times I've wanted to use that info for spam signs,
and it
>> just isn't there.
>
>There's a few things here.
>
>First, the body-mime headers aren't typically visible to the user via MUA,
>so they're not included in the data that the standard rules run against.
>
>Second, viruses and worms aren't spam, and body-mime headers have not
>historically provided enough useful anti-spam information to have a
>special ruletype to look at them.
>
>Third, it's trivial to write a plugin to go through them if you really need
>them for something. Something ala:
>
FWIW, I catch 99% of the offending attachments (and spam) right at the
"front door" or at the MTA using milter-regex (for Sendmail) and
Milter-Greylist.
I prefer not to have the bad stuff on my server if at all possible, and
want to avoid using those heavier resources for snagging, and thus (except
for the 1%) they never reach to SA or Procmail. Vsnagger plug-in for
Procmail (by Dallman Ross) catches the remaining 1%.
Thus, now instead of having to catch 90+% of spam with spamassassin, it is
only used for the 1%. It has really relieved the use of resources.
So, if you use Sendmail, "milters" are my first choice -- regex-milter,
greylist-milter, spamass-milter (with a threshold for blocking), then spamd
kicks in at a low threshold and, finally, Procmail with custom recipes.
I love all of these tools, including SA, but one or two just won't do it all.
If anyone with Sendmail is interested in using milters:
http://www.benzedrine.cx/milter-regex.html
http://hcpnet.free.fr/milter-greylist/
http://www.milter.org/
HTH
Best regards,
Jack L. Stone,
Administrator
Sage American
http://www.sage-american.com
jacks@sage-american.com
Re: Catching Windows executables as attachments
Posted by jdow <jd...@earthlink.net>.
From: "Christof Damian" <ch...@damian.net>
> > On Thu, 2004-09-09 at 06:49, Loren Wilton wrote:
> > > In 2.63 there is the MICROSOFT_EXECUTABLE check that triggers on a
> > > number (but by no means all) viruses, and can be useful for
> > > various things. However, it has been removed from 3.0.
>
> That is a shame, I use that at the moment to score+2 all the silly
> game and joke executeables which I get sent.
>
> ClamAV filters the virii of course.
christof, it's not prohibitively hard to code such a test for yourself.
It's a good learning experience. And once you get the hang of it you
can go mad over it and even get involved with developing new rules
and rule sets.
{^_-}
Re: Catching Windows executables as attachments
Posted by Christof Damian <ch...@damian.net>.
> On Thu, 2004-09-09 at 06:49, Loren Wilton wrote:
> > In 2.63 there is the MICROSOFT_EXECUTABLE check that triggers on a
> > number (but by no means all) viruses, and can be useful for
> > various things. However, it has been removed from 3.0.
That is a shame, I use that at the moment to score+2 all the silly
game and joke executeables which I get sent.
ClamAV filters the virii of course.
christof
--
Christof Damian
christof@damian.net
Re: Catching Windows executables as attachments
Posted by Chris Stenton <ja...@gnome.co.uk>.
Use something like mimedefang. It blocks attachments you don't want and
will run clamav, SA etc on incoming mail.
Chris
On Thu, 2004-09-09 at 06:49, Loren Wilton wrote:
> > But I would like to catch
> > the virus emails that have Win exe, scr, bat, and the like for
> attachments,
> > but I can't find a rule for them.
> >
> > Is there one? How can I catch them otherwise?
>
> Sadly there really isn't one. People will tell you to simply use a more
> appropriate tool for virus catching, like ClamAV. Of course I suspect this
> still leaves lots of "I caught a vuirus!" messages that leak through. We
> are working on a SARE ruleset to catch a great number of these for you.
>
> In 2.63 there is the MICROSOFT_EXECUTABLE check that triggers on a number
> (but by no means all) viruses, and can be useful for various things.
> However, it has been removed from 3.0. And while I agree with removing
> binary attachments before scanning in SA, I consider that removing the
> mime-part header that contained the type and name is a mistake. There have
> been any number of times I've wanted to use that info for spam signs, and it
> just isn't there.
>
> Loren
Re: Catching Windows executables as attachments
Posted by Theo Van Dinter <fe...@kluge.net>.
On Fri, Sep 10, 2004 at 03:48:17AM -0700, Loren Wilton wrote:
> > First, the body-mime headers aren't typically visible to the user via MUA,
> > so they're not included in the data that the standard rules run against.
>
> and yet they are considered one of the more important spam indicators. Lack
> of normal visibility in an MUA is a poor justification for excluding
> information in the mail from a spam classifier.
Nothing is excluded from "[the] spam classifier". It is, however,
excluded from body rules which are explicitly meant to be a rendered
version of the message, relatively close to what the user will see in
an MUA (visible vs invisible HTML, HTML "rendering" (mostly tag removal
but we process the tags internally to pull out information), b64/qp
decoding, etc).
> You are assuming here that the only use for examining mime headers are to
> classify virui and worms. While that is the origin of this thread, I find
Since the subject of this thread is "Catching Windows executables as
attachments", yes, that's what I was talking about. :)
> Well, its trivial if your name is Theo or Justin or Daniel and you work with
> SA code 10 hours a day every day. In that case you probably know more Perl
[...]
> it, it is hardly a trivial undertaking to spend months learning a language
> of surpassing crypticality, and then learn the undocumented (or otherwise)
> innards of a major program, simply to be able to write a few simple rules.
You don't need to get all upity about it. I'm simply stating that body mime
headers have no place in the standard body rules (body, rawbody, and uri).
They're meant to check one thing, you want to check something different.
IMO, it would be pretty easy to get a new rule type as a plugin (if you
don't know the perl to do it, I'm sure if you asked politely someone else
could code it up). Then you can easily write rules to look for whatever
you want to look for. If looking at that information became commonplace,
the rule type/code would likely get merged into SA-proper.
--
Randomly Generated Tagline:
"The very powerful and the very stupid have one thing in common.
Instead of altering their views to fit the facts, they alter the facts
to fit their views ... which can be very uncomfortable if you happen to
be one of the facts that needs altering." - Doctor Who, "Face of Evil"
Re: Catching Windows executables as attachments
Posted by Loren Wilton <lw...@earthlink.net>.
> From: "Theo Van Dinter" <fe...@kluge.net>
>
> There's a few things here.
>
> First, the body-mime headers aren't typically visible to the user via MUA,
> so they're not included in the data that the standard rules run against.
Normal headers in their full glory also aren't typically visible to the user
in most MUAs, only processed versions of select headers such as From and
Subject. You typically have to go digging to fine headers like Received,
and yet they are considered one of the more important spam indicators. Lack
of normal visibility in an MUA is a poor justification for excluding
information in the mail from a spam classifier.
> Second, viruses and worms aren't spam, and body-mime headers have not
> historically provided enough useful anti-spam information to have a
> special ruletype to look at them.
You are assuming here that the only use for examining mime headers are to
classify virui and worms. While that is the origin of this thread, I find
that rather irrelevent. Mime headers are some of the more unique spam signs
one can spot from even a casual perusal of a few hundred spams, and in many
cases can be used (often inconjunction with header information) to determine
that a mail came from a particular spam tool, and is therefore in all
probability spam, without even looking at the body content.
I suspect that they have been 'historically useless' primarily because they
have not been accessible to rules, and/or nobody has considered them as
interesting as body content and received headers.
> Third, it's trivial to write a plugin to go through them if you really
need
> them for something. Something ala:
>
> foreach my $p ($self->{msg}->find_parts(qr@^application/octet-stream@))
{
> my ($ctype, $boundary, $charset, $name) =
Mail::SpamAssassin::Util::parse_content_type($p->
>get_header("content-type"));
> $name ||= '';
> $name = lc $name;
>
> return 1 if ($name =~ /\.(?:scr|bat|com|pif)$/);
> }
> return 0;
Well, its trivial if your name is Theo or Justin or Daniel and you work with
SA code 10 hours a day every day. In that case you probably know more Perl
than Larry Wall does, and you also know every routine inside of SA and know
exactly wiat it is to be used for.
For those of us that spend 16 hours a day building OSes or graphics
applications or accounting packages, and speak C++ or Java or some language
other than Perl, and merely hate spam enough to want to do something about
it, it is hardly a trivial undertaking to spend months learning a language
of surpassing crypticality, and then learn the undocumented (or otherwise)
innards of a major program, simply to be able to write a few simple rules.
Hopefully someone that has the time in their lives to learn both Perl and
the innards of SA will write some simple plugins to expose those parts of
the mail message that the rest of us can then use to write rules against
those parts. I know I'd like to write a half dozen rules against various
mime headers. But I have only the vaguest guess about what that code
snippit above may be doing, and I suspect strongly that it isn't by itself
sufficient to be an actual plugin. I don't think I have the spare year in
my life to figure out how to make something like that work just so I can
write a couple of rules to catch things with encodings of BitBitNum.
Loren
Re: Catching Windows executables as attachments
Posted by Theo Van Dinter <fe...@kluge.net>.
On Wed, Sep 08, 2004 at 10:49:09PM -0700, Loren Wilton wrote:
> However, it has been removed from 3.0. And while I agree with removing
> binary attachments before scanning in SA, I consider that removing the
> mime-part header that contained the type and name is a mistake. There have
> been any number of times I've wanted to use that info for spam signs, and it
> just isn't there.
There's a few things here.
First, the body-mime headers aren't typically visible to the user via MUA,
so they're not included in the data that the standard rules run against.
Second, viruses and worms aren't spam, and body-mime headers have not
historically provided enough useful anti-spam information to have a
special ruletype to look at them.
Third, it's trivial to write a plugin to go through them if you really need
them for something. Something ala:
foreach my $p ($self->{msg}->find_parts(qr@^application/octet-stream@)) {
my ($ctype, $boundary, $charset, $name) = Mail::SpamAssassin::Util::parse_content_type($p->get_header("content-type"));
$name ||= '';
$name = lc $name;
return 1 if ($name =~ /\.(?:scr|bat|com|pif)$/);
}
return 0;
that'll return true for any application/octet-stream attachment with a
filename ending in scr, bat, com, or pif. You can get any other parts of the
body-mime headers out in a similar fashion.
--
Randomly Generated Tagline:
It takes two to lie. One to lie and one to listen.
-- Homer Simpson
Colonel Homer
Re: Catching Windows executables as attachments
Posted by Loren Wilton <lw...@earthlink.net>.
> But I would like to catch
> the virus emails that have Win exe, scr, bat, and the like for
attachments,
> but I can't find a rule for them.
>
> Is there one? How can I catch them otherwise?
Sadly there really isn't one. People will tell you to simply use a more
appropriate tool for virus catching, like ClamAV. Of course I suspect this
still leaves lots of "I caught a vuirus!" messages that leak through. We
are working on a SARE ruleset to catch a great number of these for you.
In 2.63 there is the MICROSOFT_EXECUTABLE check that triggers on a number
(but by no means all) viruses, and can be useful for various things.
However, it has been removed from 3.0. And while I agree with removing
binary attachments before scanning in SA, I consider that removing the
mime-part header that contained the type and name is a mistake. There have
been any number of times I've wanted to use that info for spam signs, and it
just isn't there.
Loren
Re: Catching Windows executables as attachments
Posted by Steve Bertrand <ia...@ibctech.ca>.
> I have currently tuned my SARE spam filters, and am humming right
> along, I get
> one or 2 uncaught spams a day which is no big deal. But I would like
> to catch
> the virus emails that have Win exe, scr, bat, and the like for
> attachments,
> but I can't find a rule for them.
>
> Is there one? How can I catch them otherwise?
If you are running qmail, you can install qmail-scanner (which I use
to load SA & ClamAV).
Then edit the quarantine-attachments.txt file to your taste. You can
block out any attachment you desire...
Steve
>
> Rob
> --
>
> Linux Desktop user since 2000,
> Home networker since shortly after.
>
> Linux User #183693
> http://counter.li.org/
>
RE: Catching Windows executables as attachments
Posted by Mike Kercher <mi...@CamaroSS.net>.
Rob Blomquist wrote:
> I have currently tuned my SARE spam filters, and am humming right
> along, I get one or 2 uncaught spams a day which is no big deal. But
> I would like to catch the virus emails that have Win exe, scr, bat,
> and the like for attachments, but I can't find a rule for them.
>
> Is there one? How can I catch them otherwise?
>
> Rob
MailScanner does this by default.
Mike