Matthias, I recommend to block all .pif files as well as some other "dangerous ones":
From my amavis.conf:
$banned_filename_re = new_RE( qr'^UNDECIPHERABLE$', # password protected zip files qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll|reg)$'i, # double extension qr'.\.(exe|vbs|pif|scr|bat|cmd|com|reg)$'i, # banned extension - basic qr'.\.(vb|vbe|js|jse|com)$'i, # banned extension - VB and Java ...
Depending on the files that you receive, you may want to remove a few files suffixes.
-Marc
Pierre Thomson wrote:
As others will no doubt point out, SpamAssassin is not a virus scanner, and if you getting viruses through your gateway you should be looking for a better virus scanner...
That said, I would use "body" tests rather than "full". Body tests will strip out invisible HTML codes from the mail, so you can match text as your mail reader displays it.
Also, I would avoid trying to match a very long text string. Rather, look for unique keywords or phrases, like:
body VTEST1 /to send a huge amount of junk email/ describe VTEST1 phrase found in virus mails score VTEST1 2.0
body VTEST2 /compromised and now runs a hidden proxy/ describe VTEST2 phrase found in virus mails score VTEST2 2.0
body VTEST3 /instructions in order to keep your computer/ describe VTEST3 phrase found in virus mails score VTEST3 2.0
It's best to make a set of rules and eith use additive scoring or a META rule to combine them. That way, the occasional mail that may match one test will not be killed.
Pierre Thomson BIC
-----Original Message----- From: Matthias Keller [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: Trying to catch those latest virii....
Hi
There seems to be a virus spreading, I've received it several times, it goes like this:
Subject: Returned mail: see transcript for details
Body:
Dear user of <maildomain>,
We have received reports that your email account has been used to send a huge amount of junk email during this week. Obviously, your computer was compromised and now runs a hidden proxy server.
Please follow our instructions in order to keep your computer safe.
Best regards, <maildomain> user support team.
attached is a .pif file no virusscanner (yet?) detects as spam.
So I wanted to write a rule against those sentences, but whatever I try, no rule will match....
I tried:
full _MKE_xVIRUS1 /We have received reports that your email account has been used to send a huge amount of junk email/i
full _MKE_xVIRUS2 /Obviously, your computer was compromised and now runs a hidden proxy server/i
and added for each one a score and a description
I also tried body, rawbody but still NO match at all!
The Mail has a MIME Type of multipart/mixed
and the first part is:
------=_NextPart_000_0001_F824EC38.FBF36544 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit
<here comes the mail body...>
Am I doing something wrong that my rules wont trigger? The file should be read as other rules out of the same file matched regularly over the last few days...
Thanx
Matt
