[BlueOnyx:14158] Re: Solarspeed AV-SPAM V5

Michael Stauber mstauber at blueonyx.it
Tue Dec 24 13:30:12 -05 2013 

Hi Colin,

> We are finding that viral attachments (e.g crypto) are not being filtered
> out of email even though everything (clamav sigs etc.) is up to date.
> Is there any way around this - I would expect these to be fitered out /
> email dumped.
> 
> What is the best way forward - we are seeing a shedload of these emails
> (e.g. From employers at alerts.hmrc.gov.uk) and had a few clients get zapped.

One way to deal with this is to have SpamAssassin prevent emails with
ZIP or EXE attachments passing through.

This is a bit drastic, but if you have users who use HTML emails and who
blindly open any attachment without thinking first, then this might be
the way to go.

Here is some code that I am using. Just create the file
/etc/mail/spamassassin/attachments.cf and paste this into it:

#-----------------------------------------------------
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader

mimeheader ZIP_ATTACHED Content-Type =~ /zip/i
describe ZIP_ATTACHED email contains a zip file attachment
score ZIP_ATTACHED 7.5

mimeheader EXE_ATTACHED Content-Type =~ /exe/i
describe EXE_ATTACHED email contains a zip file attachment
score EXE_ATTACHED 7.5

uri      DANGEROUS_URL /\.(exe|zip|scr|pif|php|cmd|bat|vbs|wsh)$/i
describe DANGEROUS_URL        URL contains executable content
score    DANGEROUS_URL        7.5
#-----------------------------------------------------

It assigns a score of 7.5 to emails with attachments of either ZIP or
EXE. The last rule applies for URLs in email bodies that point to files
that have the extension exe, zip, scr, pif, php, cmd, bat, vbs or wsh.

Including "php" as extension there creates a lot of false positives, so
I usually remove it on my own boxes.

Once you have created that file, restart SpamAssassin for the change to
take effect:

/etc/init.d/spamassassin restart

FWIW: The filename of the rule file doesn't matter. As long as it's in
the directory /etc/mail/spamassassin/ and ends with *.cf SpamAssassin
will use these rules.

Another thing you might want to adjust is the score applied to these
rules. 7.5 points will make sure that it's most definitely marked as
SPAM - if your users use the default 5.0 score. But it's below the
default score of 10 at which emails will be rejected at the MTA level.

If you want to keep these kind of emails out of sight of your users, but
want to let the sender know immediately that this kind of email will not
reach the intended recipient, use a score higher than 10 (or whatever
the score is at which your AV-SPAM rejects at the MTA level).

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list