Re: Help with new rule, and local.cf
On 03.06.10 20:45, cviebrock wrote: Thanks for the link. That'll help. In general, though, can I write a SA rule that looks at the raw message body with trying to decode attachments, etc.? I thought that would be the easiest way to catch these messages (and some other spam that comes in as PNG files). for images, there is FuzzyOcr plugin that can catch image spam. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: Help with new rule, and local.cf
On Thu, 2010-06-03 at 19:44 -0700, cviebrock wrote: I'm trying to write a rule to catch a bunch of spam I'm getting recently that contain only an .RTF file. The filename, subject line, and other details vary, but the raw message body is always the same i.e. the base64 encoded RTF file. See the headers and first few lines of the email here, plus my attempted rule (which doesn't seem to be firing). Are you certain that the string you're matching is common to all RTF spam messages without being common to all RTF messages, e.g. a standard RTF header? I'm trapping all the RTF spam I'm getting by firstly recognising the RTF attachment: describe MG_RTF RTF text file mimeheader MG_RTF Content-Type =~ /name\=\.{1,20}\.rtf\/i score MG_RTF 0.75 and using that in meta-rules that combine it with other information (I don't accept RTF attachments from some mailing lists or if they're sent to an address that I don't send mail from or use for subscriptions. Martin
Re: Help with new rule, and local.cf
You're right in that it *could* be a common RTF header, but a bit of decoding of the attachments on my end seems to indicate that it isn't. All these spam RTFs are practically identical except for a different URL link in the document, and a different (probably forged) generator Msftedit #.##.##.### line. I guess my question is more general: how do I write a rule that looks at the undecoded content of the emails, versus one that looks at the decoded parts? - Colin -- View this message in context: http://old.nabble.com/Help-with-new-rule%2C-and-local.cf-tp28775147p28780895.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help with new rule, and local.cf
On Fri 04 Jun 2010 04:44:46 AM CEST, cviebrock wrote http://pastebin.com/xFddVaX8 http://sanesecurity.org/ dont know what clamav rules helps for this, but this is another way to stop spam attachements remember to make good choice of official sigs in clamd if using clamav milter, only reject official sigs, and i belive one can enabled it on call to deamon so all is being scored as spam, not tryed, but i belive it can be done -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Help with new rule, and local.cf
Hi, There is allready a few threads about this ... http://www.gossamer-threads.com/lists/spamassassin/users/153560?do=post_view_threaded mvh On Fri, Jun 4, 2010 at 4:44 AM, cviebrock colinviebr...@gmail.com wrote: I'm trying to write a rule to catch a bunch of spam I'm getting recently that contain only an .RTF file. The filename, subject line, and other details vary, but the raw message body is always the same i.e. the base64 encoded RTF file. See the headers and first few lines of the email here, plus my attempted rule (which doesn't seem to be firing). http://pastebin.com/xFddVaX8 Any suggestions? Actually, I'm not sure if any of my rules in local.cf are firing. I'm running SA 3.3.0 via spampd 2.30-22 and Postfix 2.5.5, Perl 5.10.0 on Debian Lenny. I'll post any config settings needed to help. Thanks, and sorry if I'm being a newb! - Colin -- View this message in context: http://old.nabble.com/Help-with-new-rule%2C-and-local.cf-tp28775147p28775147.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help with new rule, and local.cf
Thanks for the link. That'll help. In general, though, can I write a SA rule that looks at the raw message body with trying to decode attachments, etc.? I thought that would be the easiest way to catch these messages (and some other spam that comes in as PNG files). - Colin -- View this message in context: http://old.nabble.com/Help-with-new-rule%2C-and-local.cf-tp28775147p28775423.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.