You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Rick Gutierrez <xs...@gmail.com> on 2018/12/17 19:18:12 UTC

rule for docx o xlsx

Hi list , happy holidays to all, I am trying to make this rule work
that a friend wrote in github, to be able to give a high score to
documents sent from different countries, like pakistan, china or india
, I have it in my spamassassin and I do not see it working, to see if
someone on the list helps me improve it

RuleWordORExcel.cf

mimeheader __MIME_WORDOREXCEL Content-Type =~ /msword|excel/i
header     __RELAYCOUNTRY_SPAMMY
X-Relay-Countries=~/^(RU|CN|AR|AE|CG|FR|IR|KI|PK|AU|BS|BE|BO|BT|AI|AO|BR|KH|CL|CO|CK|CU|DM|EC|US)/i

meta     WORDEXCEL_SPAMMYCOUNTRY __MIME_WORDOREXCEL && __RELAYCOUNTRY_SPAMMY
describe WORDEXCEL_SPAMMYCOUNTRY Spammy country and word/excel file
score    WORDEXCEL_SPAMMYCOUNTRY 2.0


meta     OLEMACRO_SPAMMYCOUNTRY OLEMACRO && __RELAYCOUNTRY_SPAMMY
describe OLEMACRO_SPAMMYCOUNTRY Spammy country and Office doc with Macro
score    OLEMACRO_SPAMMYCOUNTRY 2.0

This is a test from gmail, sending a word file to an account.

https://pastebin.com/bmRq7v7h

regards


-- 
rickygm

http://gnuforever.homelinux.com

Re: rule for docx o xlsx

Posted by Benny Pedersen <me...@junc.eu>.

Rick Gutierrez skrev den 2018-12-19 18:44:

> Hi Benny,  I am not an expert in amavisd, but I have installed a few
> and in the official documentation you can block this type of files or
> extension, but I would do it general and not on a certain pattern.

i repeat, spamassassin cant test things in deep file content scanning, 
we loose

one way to solve is:

configure clamav-milter to accept all virus detected in clamav
make spamas-milter reject pattern for macro virus detected in clamav
and still reject virus in spamas-milter

or make a bug report to clamav-milter for more policy accept quarantine 
reject rules

by adding more 3dr party clamav signatures one dont need spamassassin 
:=)

the above is only possible if clamav multer is done before spamas-milter

if other tools is used it require more work to make work

Re: rule for docx o xlsx

Posted by Rick Gutierrez <xs...@gmail.com>.

El lun., 17 dic. 2018 a las 14:22, Benny Pedersen (<me...@junc.eu>) escribió:

>
> why not block it with default clamav installs ?
>
> spamassassin is not a virus scanner or macro detector, i still have not
> seen rules in mimedefang or amavisd, or canit, and other tools support
> deep content scanners in spamassassin
>
> just my one €

Hi Benny,  I am not an expert in amavisd, but I have installed a few
and in the official documentation you can block this type of files or
extension, but I would do it general and not on a certain pattern.


-- 
rickygm

http://gnuforever.homelinux.com

Re: rule for docx o xlsx

Posted by Benny Pedersen <me...@junc.eu>.

Rick Gutierrez skrev den 2018-12-17 20:18:

> https://pastebin.com/bmRq7v7h

why not block it with default clamav installs ?

spamassassin is not a virus scanner or macro detector, i still have not 
seen rules in mimedefang or amavisd, or canit, and other tools support 
deep content scanners in spamassassin

just my one €

Re: rule for docx o xlsx

Posted by Rick Gutierrez <xs...@gmail.com>.

El lun., 17 dic. 2018 a las 13:40, RW (<rw...@googlemail.com>) escribió:

>
> Content-Type:
> application/vnd.openxmlformats-officedocument.wordprocessingml.document,
>
> doesn't contain msword|excel

Hi RW , you suggest me to make the modification?



-- 
rickygm

http://gnuforever.homelinux.com

Re: rule for docx o xlsx

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Mon, 17 Dec 2018, RW wrote:

> On Mon, 17 Dec 2018 13:18:12 -0600
> Rick Gutierrez wrote:
>
>> Hi list , happy holidays to all, I am trying to make this rule work
>> that a friend wrote in github, to be able to give a high score to
>> documents sent from different countries, like pakistan, china or india
>> , I have it in my spamassassin and I do not see it working, to see if
>> someone on the list helps me improve it
>>
>> RuleWordORExcel.cf
>>
>> mimeheader __MIME_WORDOREXCEL Content-Type =~ /msword|excel/i
> ...
>> https://pastebin.com/bmRq7v7h
>
>
>
> Content-Type:
> application/vnd.openxmlformats-officedocument.wordprocessingml.document,
>
> doesn't contain msword|excel

Not to mention that rule doesn't match "Application/OCTET-STREAM"

All too often I see mail clients use the catch-all MimeTyping of 
"Application/OCTET-STREAM' and assume the recipient will 'do the right thing' 
based on the file extension.



-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: rule for docx o xlsx

Posted by RW <rw...@googlemail.com>.

On Mon, 17 Dec 2018 13:18:12 -0600
Rick Gutierrez wrote:

> Hi list , happy holidays to all, I am trying to make this rule work
> that a friend wrote in github, to be able to give a high score to
> documents sent from different countries, like pakistan, china or india
> , I have it in my spamassassin and I do not see it working, to see if
> someone on the list helps me improve it
> 
> RuleWordORExcel.cf
> 
> mimeheader __MIME_WORDOREXCEL Content-Type =~ /msword|excel/i
...
> https://pastebin.com/bmRq7v7h



Content-Type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document,

doesn't contain msword|excel