Re: Rule to block link to *.zip *.exe *.scr ...
Rejaine Monteiro wrote ... (8/1/2008 1:40 PM): Hi all How can I create a generic rule to block any e-mail with links to dangerous files ? Like http://.zip or http://***.exe or ***.doc.exe etc... This is one I wrote to deal with a large influx of Storm Worm's that got through once. uri DANGEROUS_URL/\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i describe DANGEROUS_URLURL contains executable content scoreDANGEROUS_URL7.5
Re: Rule to block link to *.zip *.exe *.scr ...
On Fri, 1 Aug 2008, Rejaine Monteiro wrote:
note: i'm not talking about block *attached* files .. (my qmail-scanner
already do this..)
Oops. I misread your question then.
i need a rule to targed as spam e-mail with *links to* dangerous files..
Here's what I use:
uri EXECUTABLE_URI
/^(?:https?|ftp):\/\/[^\s?]{1,80}\/[^\s?]{1,80}\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i
describe EXECUTABLE_URILinks to an executable file
score EXECUTABLE_URI3.00
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
USMC Rules of Gunfighting #6: If you can choose what to bring to a
gunfight, bring a long gun and a friend with a long gun.
---
3 days until the 273rd anniversary of John Peter Zenger's acquittal
Re: Rule to block link to *.zip *.exe *.scr ...
OK.. Sorry for my bad english ... Thank you for the tip..! Karsten Bräckelmann escreveu: On Fri, 2008-08-01 at 15:01 -0300, Rejaine Monteiro wrote: note: i'm not talking about block *attached* files .. (my qmail-scanner already do this..) i need a rule to targed as spam e-mail with *links to* dangerous files.. Yes, I did understand that, and that's exactly what I discussed and referred to. Do you understand my reply? Karsten Bräckelmann escreveu: On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote: Hi all How can I create a generic rule to block any e-mail with links to dangerous files ? Easy, just ask those folks related to tools in your mail processing chain that actually can block mail. SA does not. SA tags mail, it does not deliver mail in any way, including blocking. Like http://.zip or http://***.exe or ***.doc.exe etc... A uri rule will be easy to write, to match this. See the docs: http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html Sorry, forgot to mention: Section "Rule Definitions and Privileged Settings. Oh well, something like this: uri L_URI_BADFILEEXT /\.(zip|exe)$/ An alternative approach would be, to consider using ClamAV with the SaneSecurity phish sigs. I believe they should catch almost all of these. guenther
Re: Rule to block link to *.zip *.exe *.scr ...
On Fri, 2008-08-01 at 15:01 -0300, Rejaine Monteiro wrote:
> note: i'm not talking about block *attached* files .. (my
> qmail-scanner already do this..)
> i need a rule to targed as spam e-mail with *links to* dangerous files..
Yes, I did understand that, and that's exactly what I discussed and
referred to. Do you understand my reply?
> Karsten Bräckelmann escreveu:
> > On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
> >
> >> Hi all
> >>
> >> How can I create a generic rule to block any e-mail with links to
> >> dangerous files ?
> >
> > Easy, just ask those folks related to tools in your mail processing
> > chain that actually can block mail. SA does not. SA tags mail, it does
> > not deliver mail in any way, including blocking.
> >
> >
> >> Like http://.zip or http://***.exe or ***.doc.exe etc...
> >
> > A uri rule will be easy to write, to match this. See the docs:
> > http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
Sorry, forgot to mention: Section "Rule Definitions and Privileged
Settings.
Oh well, something like this:
uri L_URI_BADFILEEXT /\.(zip|exe)$/
> > An alternative approach would be, to consider using ClamAV with the
> > SaneSecurity phish sigs. I believe they should catch almost all of
> > these.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Rule to block link to *.zip *.exe *.scr ...
note: i'm not talking about block *attached* files .. (my qmail-scanner already do this..) i need a rule to targed as spam e-mail with *links to* dangerous files.. Karsten Bräckelmann escreveu: On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote: Hi all How can I create a generic rule to block any e-mail with links to dangerous files ? Easy, just ask those folks related to tools in your mail processing chain that actually can block mail. SA does not. SA tags mail, it does not deliver mail in any way, including blocking. Like http://.zip or http://***.exe or ***.doc.exe etc... A uri rule will be easy to write, to match this. See the docs: http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html An alternative approach would be, to consider using ClamAV with the SaneSecurity phish sigs. I believe they should catch almost all of these. guenther
Re: Rule to block link to *.zip *.exe *.scr ...
On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
> Hi all
>
> How can I create a generic rule to block any e-mail with links to
> dangerous files ?
Easy, just ask those folks related to tools in your mail processing
chain that actually can block mail. SA does not. SA tags mail, it does
not deliver mail in any way, including blocking.
> Like http://.zip or http://***.exe or ***.doc.exe etc...
A uri rule will be easy to write, to match this. See the docs:
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
An alternative approach would be, to consider using ClamAV with the
SaneSecurity phish sigs. I believe they should catch almost all of
these.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
