Re: Fishing

[Benny Pedersen]

On Wed, September 13, 2006 20:48, Fábio Gomes wrote:
 I didn't mean removing EXE attachments, but blocking/high scoring messages
 with links to executables in its body.

 Is it possible?

perldoc Mail::SpamAssassin::Plugin::AntiVirus

 Or - if you are using procmail:
 #Delete all messages with exe attachments

 :0
 * ^content-type: application/octet-stream
 /dev/null

this will create false positive !

and your mail will be lost to show evidiences

-- 
This message was sent using 100% recycled spam mails.

Re: Fishing

[Loren Wilton]

Correction! That should be:

/htt(p|ps):\/\/.*?\/.*\.com$/i

and slightly more efficient (doesn't capture backreference):

/htt(?:p|ps):\/\/.*?\/.*\.com$/i


Or maybe more simply and readably:

   m'https?://.*/.*\.com$'i

But the .* things really should stop on something reasonable like  or \s or 
the like.  Otherwise you will get hits on


   http://my/furball.org which is a dot.com


   Loren

Re: Fishing

[Fábio Gomes]

Em Quarta 13 Setembro 2006 18:00, [EMAIL PROTECTED] escreveu:
  Bill Randle wrote:
   Amavisd-new will also drop attachments with a configurable list
   of file extentions, but the question refered to links to exe's,
   not actual exe attachments.
 
  Good point -- everyone's primed to think of attachments, it seems.
 
  Here's a stab at it: set up a URI rule.
 
  uri   EXECUTABLE_LINK/\.(?:exe|scr)$/i
  describe  EXECUTABLE_LINKLinks to an executable file
  score EXECUTABLE_LINK10
 
  Just a starting place, mind you -- you may want to make it more or less
  specific.  And there may still be the occasional site running a binary
  CGI on Windows, such that the server will execute the EXE and output
  HTML, not offer the EXE for download.

 A .scr probably would not be used as a cgi...

 the other way round - it is very easy to create a php that offers an exe
 for download So jut scoring direct .exe links might cause the bad guys
 to produce better download links



I'm receiving lots of spams with bare links these days. Links to 
downloads 
using php are more rare. I don't mind if I'm going to block some cgi's 
(althought that could be a problem in the future), but right now I need to 
stop those nasty fishings.

I appretiate all the help I'm receiving. I find SA list very 
responsive. 
Thank you all.

Re: Fishing

[John Thompson]

On 2006-09-13, Fábio Gomes [EMAIL PROTECTED] wrote:

 I didn't mean removing EXE attachments, but blocking/high scoring messages 
 with links to executables in its body.

 Is it possible?

I would think it would be a little tricky, as the filter would have to 
follow the link to determine if it is in fact an executable vs just 
text. 

You could simply filter such messages to a quarantine area, and/or 
configure your mail client to not run executables by default, if it 
isn't already.

-- 

John ([EMAIL PROTECTED])

RE: Fishing

[Bowie Bailey]

Loren Wilton wrote:
  Correction! That should be:
  
  /htt(p|ps):\/\/.*?\/.*\.com$/i
  
  and slightly more efficient (doesn't capture backreference):
  
  /htt(?:p|ps):\/\/.*?\/.*\.com$/i
 
 Or maybe more simply and readably:
 
 m'https?://.*/.*\.com$'i
 
 But the .* things really should stop on something reasonable like 
 or \s or the like.  Otherwise you will get hits on
 
 http://my/furball.org which is a dot.com

Or maybe just disallow whitespace:

m'https?://\S*/\S*\.com$'i

-- 
Bowie

Fishing

[Fábio Gomes]

Hi list,

Is there any way to block messages with links to executables like 
*.exe, 
*.com and *.scr?

Best Regards,
Fábio Gomes

Re: Fishing

[Evan Platt]

At 11:09 AM 9/13/2006, you wrote:

Hi list,

Is there any way to block messages with links to 
executables like *.exe,

*.com and *.scr?


Not with SpamAssassin, but possibly with whatever MUA you have. 

Re: Fishing

[Ed Kasky]

At 11:10 AM Wednesday, 9/13/2006, Michel Vaillancourt wrote -=

Fábio Gomes wrote:
 Hi list,

   Is there any way to block messages with 
links to executables like *.exe,

 *.com and *.scr?

   Best Regards,
   Fábio Gomes

If you are using Postfix as your MTA, this isn't hard to do at all.


Or - if you are using procmail:

#Delete all messages with exe attachments
:0
* ^content-type: application/octet-stream
/dev/null

Ed Kasky
~
Randomly Generated Quote (461 of 511):
The truth is a precious commodity. That's why I use it so sparingly.
- Mark Twain

Re: Fishing

[Fábio Gomes]

I didn't mean removing EXE attachments, but blocking/high scoring messages 
with links to executables in its body.

Is it possible?

BTW, I'm using qmail.

Regards,
Fábio Gomes

Em Quarta 13 Setembro 2006 15:34, Ed Kasky escreveu:
 At 11:10 AM Wednesday, 9/13/2006, Michel Vaillancourt wrote -=

 Fábio Gomes wrote:
   Hi list,
  
 Is there any way to block messages with
 
  links to executables like *.exe,
 
   *.com and *.scr?
  
 Best Regards,
 Fábio Gomes
 
  If you are using Postfix as your MTA, this isn't hard to do at
  all.

 Or - if you are using procmail:

 #Delete all messages with exe attachments

 :0

 * ^content-type: application/octet-stream
 /dev/null

 Ed Kasky
 ~
 Randomly Generated Quote (461 of 511):
 The truth is a precious commodity. That's why I use it so sparingly.
 - Mark Twain

Re: Fishing

[Bill Randle]

 At 11:10 AM Wednesday, 9/13/2006, Michel Vaillancourt wrote -=
Fábio Gomes wrote:
  Hi list,
 
Is there any way to block messages with
 links to executables like *.exe,
  *.com and *.scr?
 

 If you are using Postfix as your MTA, this isn't hard to do at
 all.

 Or - if you are using procmail:

 #Delete all messages with exe attachments
 :0
 * ^content-type: application/octet-stream
 /dev/null

Amavisd-new will also drop attachments with a configurable list
of file extentions, but the question refered to links to exe's,
not actual exe attachments.

-Bill



-- 

Re: Fishing

[Kelson]

Bill Randle wrote:

Amavisd-new will also drop attachments with a configurable list
of file extentions, but the question refered to links to exe's,
not actual exe attachments.


Good point -- everyone's primed to think of attachments, it seems.

Here's a stab at it: set up a URI rule.

uri   EXECUTABLE_LINK/\.(?:exe|scr)$/i
describe  EXECUTABLE_LINKLinks to an executable file
score EXECUTABLE_LINK10

Just a starting place, mind you -- you may want to make it more or less 
specific.  And there may still be the occasional site running a binary 
CGI on Windows, such that the server will execute the EXE and output 
HTML, not offer the EXE for download.


.com will, of course, be a challenge.

--
Kelson Vibber
SpeedGate Communications www.speed.net

Re: Fishing

[John D. Hardin]

On Wed, 13 Sep 2006, [iso-8859-1] F?bio Gomes wrote:

   Is there any way to block messages with links to executables like 
 *.exe, 
 *.com and *.scr?

I will be adding that to my email security tool this week.

http://www.impsec.org/email-tools/procmail-security.html

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference is that Unix has had thirty years of technical
  types demanding basic functionality of it. And the Macintosh has
  had fifteen years of interface fascist users shaping its progress.
  Windows has the hairpin turns of the Microsoft marketing machine
  and that's all.-- Red Drag Diva
---
 4 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Fishing

[Steve Thomas]

 .com will, of course, be a challenge.

/htt[p|ps]:\/\/.*?\/.*\.com$/i

Re: Fishing

[Steve Thomas]

 .com will, of course, be a challenge.

 /htt[p|ps]:\/\/.*?\/.*\.com$/i

Correction! That should be:

/htt(p|ps):\/\/.*?\/.*\.com$/i

and slightly more efficient (doesn't capture backreference):

/htt(?:p|ps):\/\/.*?\/.*\.com$/i

Re: Fishing

[hamann . w]

 
 Bill Randle wrote:
  Amavisd-new will also drop attachments with a configurable list
  of file extentions, but the question refered to links to exe's,
  not actual exe attachments.
 
 Good point -- everyone's primed to think of attachments, it seems.
 
 Here's a stab at it: set up a URI rule.
 
 uri   EXECUTABLE_LINK/\.(?:exe|scr)$/i
 describe  EXECUTABLE_LINKLinks to an executable file
 score EXECUTABLE_LINK10
 
 Just a starting place, mind you -- you may want to make it more or less 
 specific.  And there may still be the occasional site running a binary 
 CGI on Windows, such that the server will execute the EXE and output 
 HTML, not offer the EXE for download.

A .scr probably would not be used as a cgi...

the other way round - it is very easy to create a php that offers an exe for 
download
So jut scoring direct .exe links might cause the bad guys to produce better 
download
links

Wolfgang Hamann

 
 .com will, of course, be a challenge.
 
 -- 
 Kelson Vibber
 SpeedGate Communications www.speed.net
 

Re: Fishing

[Andreas Pettersson]

Steve Thomas wrote:


/htt(?:p|ps):\/\/.*?\/.*\.com$/i

 



Why not /https?:\/\/.*?\/.*\.com$/i
?

Re: Fishing

[jdow]

Visit Wiki. Look for ClamAVPlugin. To save you some effort:
http://wiki.apache.org/spamassassin/ClamAVPlugin

This uses ClamAV as a scanner for virus laden email.

SpamAssassin NEVER blocks email. You probably can, however, setup a
simple filter for .exe etc in your MDA. You certainly can do it with
procmail, for example. I found it more hassle than it was worth.

{^_^}
- Original Message - 
From: Fábio Gomes [EMAIL PROTECTED]



Hi list,

Is there any way to block messages with links to executables like *.exe,
*.com and *.scr?

Best Regards,
Fábio Gomes 

Re: Fishing

[John D. Hardin]

On 13 Sep 2006 [EMAIL PROTECTED] wrote:

 the other way round - it is very easy to create a php that offers
 an exe for download So jut scoring direct .exe links might
 cause the bad guys to produce better download links

True. As I said in an earlier post, scoring on bare executable URIs is
a low-hanging-fruit test.

Past that we stray into the realm of trying to analyze the URI vs. the
displayed link text to see if it looks like it is an attempt to mask a
hostile URI with a superficially trustworthy URI. Which has been
discussed here before.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference is that Unix has had thirty years of technical
  types demanding basic functionality of it. And the Macintosh has
  had fifteen years of interface fascist users shaping its progress.
  Windows has the hairpin turns of the Microsoft marketing machine
  and that's all.-- Red Drag Diva
---
 4 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Fishing

[Steve Thomas]

 Steve Thomas wrote:

/htt(?:p|ps):\/\/.*?\/.*\.com$/i


 Why not /https?:\/\/.*?\/.*\.com$/i

Because I always forget that the question mark can be used that way, and
if I can't seem to remember it, nobody else gets to use it! That's why. :)

Nice catch.

Steve atrophying perl skills Thomas