[BlueOnyx:14161] Re: Solarspeed AV-SPAM V5

Tue Dec 24 15:41:37 -05 2013

Hi Michael,

Why does Clam not pick these viruses up?

Colin

On 24/12/2013 18:30, "Michael Stauber" <mstauber at blueonyx.it> wrote:

>Hi Colin,
>
>> We are finding that viral attachments (e.g crypto) are not being
>>filtered
>> out of email even though everything (clamav sigs etc.) is up to date.
>> Is there any way around this - I would expect these to be fitered out /
>> email dumped.
>> 
>> What is the best way forward - we are seeing a shedload of these emails
>> (e.g. From employers at alerts.hmrc.gov.uk) and had a few clients get
>>zapped.
>
>One way to deal with this is to have SpamAssassin prevent emails with
>ZIP or EXE attachments passing through.
>
>This is a bit drastic, but if you have users who use HTML emails and who
>blindly open any attachment without thinking first, then this might be
>the way to go.
>
>Here is some code that I am using. Just create the file
>/etc/mail/spamassassin/attachments.cf and paste this into it:
>
>#-----------------------------------------------------
>loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
>
>mimeheader ZIP_ATTACHED Content-Type =~ /zip/i
>describe ZIP_ATTACHED email contains a zip file attachment
>score ZIP_ATTACHED 7.5
>
>mimeheader EXE_ATTACHED Content-Type =~ /exe/i
>describe EXE_ATTACHED email contains a zip file attachment
>score EXE_ATTACHED 7.5
>
>uri      DANGEROUS_URL /\.(exe|zip|scr|pif|php|cmd|bat|vbs|wsh)$/i
>describe DANGEROUS_URL        URL contains executable content
>score    DANGEROUS_URL        7.5
>#-----------------------------------------------------
>
>It assigns a score of 7.5 to emails with attachments of either ZIP or
>EXE. The last rule applies for URLs in email bodies that point to files
>that have the extension exe, zip, scr, pif, php, cmd, bat, vbs or wsh.
>
>Including "php" as extension there creates a lot of false positives, so
>I usually remove it on my own boxes.
>
>Once you have created that file, restart SpamAssassin for the change to
>take effect:
>
>/etc/init.d/spamassassin restart
>
>FWIW: The filename of the rule file doesn't matter. As long as it's in
>the directory /etc/mail/spamassassin/ and ends with *.cf SpamAssassin
>will use these rules.
>
>Another thing you might want to adjust is the score applied to these
>rules. 7.5 points will make sure that it's most definitely marked as
>SPAM - if your users use the default 5.0 score. But it's below the
>default score of 10 at which emails will be rejected at the MTA level.
>
>If you want to keep these kind of emails out of sight of your users, but
>want to let the sender know immediately that this kind of email will not
>reach the intended recipient, use a score higher than 10 (or whatever
>the score is at which your AV-SPAM rejects at the MTA level).
>
>-- 
>With best regards
>
>Michael Stauber
>_______________________________________________
>Blueonyx mailing list
>Blueonyx at mail.blueonyx.it
>http://mail.blueonyx.it/mailman/listinfo/blueonyx