I'm getting pummeled with a few dozen copies of the latest MS worm/trojan every hour so I figured I'd try to get SA to flag them, but unfortunately I'm not having very much luck. I've been trying to add some custom rules to my /etc/mail/spamassassin/local.cf but they never seem to match. Here are a few of what I've tried:
body MS_WORM_1 /september 2003/i description MS_WORM_1 Appears to contain latest MS worm score MS_WORM_1 5.0
Yeah, I know I should match on more than just "September 2003" but I figured I'd start simple... If I replace the search string with "microsoft" it works. But "september 2003" appears a few times in the worms e-mail so why isn't this catching it?
I also tried to match on a line from one of mime-encoded inline gif's in the worms e-mail:
rawbody MS_WORM_2 /55SVoszN28vM2pGUr7S1vqqtv52frOPl8CQvaquz2Ojp/ description MS_WORM_2 Appears to contain MIME attachment for latest MS worm score MS_WORM_2 5.0
I've tried both these tests using body, rawbody, and full, but none of them ever match. I finally broke down and just set the score for MICROSOFT_EXECUTABLE to 10 for now. At least that's now catching all the worm e-mails. But I don't want to use that for a long term solution...
So what am I doing wrong in these tests? The relevant parts of the Worm's e-mail that I'm trying to match against are below.
-Bruce
--ravpnjpuwote
Content-Type: multipart/related; boundary="lhsovqizkoelrlmi";
type="multipart/alternative"--lhsovqizkoelrlmi Content-Type: multipart/alternative; boundary="vwruurrftbo"
--vwruurrftbo Content-Type: text/plain Content-Transfer-Encoding: quoted-printable
Microsoft Client
this is the latest version of security update, the "September 2003, Cumulative Patch" update which fixes
<snip>
--vwruurrftbo Content-Type: text/html Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
<style type=3D'text/css'>.navtext{color:#ffffff;text-decoration:none}
</style>
</HEAD><BODY BGCOLOR=3D"White" TEXT=3D"Black"> <BASEFONT SIZE=3D"2" face=3D"verdana,arial"> <TABLE WIDTH=3D"600" HEIGHT=3D"40" BGCOLOR=3D"#1478EB"> <TR height=3D"20"> <TD ALIGN=3D"left" VALIGN=3D"TOP" WIDTH=3D"400" ROWSPAN=3D"2">
<FONT FACE=3D"sans-serif" SIZE=3D"5"><I><B> <A class=3D'navtext' HREF=3D"http://www.microsoft.com/"; TITLE=3D"Microsoft Home Site" target=3D"_top">Microsoft</A> </B></I></FONT> </TD>
<TD ALIGN=3D"right" VALIGN=3D"MIDDLE" BGCOLOR=3D"Black" NOWRAP> <FONT color=3D"#ffffff" size=3D1> <A class=3D'navtext' href=3D'http://www.microsoft.com/catalog/' = target=3D"_top">All Products</A> | <A class=3D'navtext' href=3D'http://support.microsoft.com/' = target=3D"_top">Support</A> |
<A class=3D'navtext' href=3D'http://search.microsoft.com/' = target=3D"_top">Search</A> | <A class=3D'navtext' href=3D'http://www.microsoft.com/' target=3D_top> Microsoft.com Guide</A> </FONT> </TD> </TR>
<TR> <TD ALIGN=3D"right" VALIGN=3D"BOTTOM" NOWRAP> <FONT FACE=3D"Verdana, Arial" SIZE=3D1><B> <A class=3D'navtext' HREF=3D'http://www.microsoft.com/' TARGET=3D" top"> Microsoft Home</A> </B>
</FONT> </TD> </TR> </TABLE>
<IMG SRC=3D"cid:hewgtpu"; BORDER=3D"0"><BR><BR> <TABLE WIDTH=3D"600"><TR><TD><FONT SIZE=3D"2"> Microsoft Client<BR><BR> this is the latest version of security update, the "September 2003, Cumulative Patch" update which fixes
<snip>
--vwruurrftbo--
--lhsovqizkoelrlmi Content-Type: image/gif Content-Transfer-Encoding: base64 Content-ID: <hewgtpu>
R0lGODlhaAA7APcAAP///+rp6puSp6GZrDUjUUc6Zn53mFJMdbGvvVtXh2xre8bF1x8cU4yLprOy zIGArlZWu25ux319xWpqnnNzppaWy46OvKKizZqavLa2176+283N5sfH34uLmpKSoNvb7c7O3L29 yqOjrtTU4crK1Nvb5erq9O/v+O7u99PT2sbGzePj6vLy99jY3Pv7/vb2+fn5++/v8Kqr0oWHuNbX 55SVoszN28vM2pGUr7S1vqqtv52frOPl8CQvaquz2Ojp7pmn3Ozu83OPzmmT6F1/xo6Voh9p2C5z
<snip>
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
