Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Rules for File Attachments in multipart/mixed ??
david.hennessey at usitc
Feb 19, 2004, 8:57 AM
Post #1 of 4 (1102 views)
Permalink
Hi!

I'd like mark messages which contain .SCR .PIF .BAT .COM file attachments as
Spam, and reject them before they enter our mail system.

Yes, I know that SA is not a Virus Scanner, but there is no reason that any
valid message should contain them.

I've tried - in vain - to write a rule for this.

It appears that SA will look in the message header, but won't look in the
headers for each part of a multipart/mixed.

Or am I doing something horribly wrong (most likely)???

Here's an example of one part of a multipart/mixed:

# Content-Type: application/octet-stream; name="www.paypal.com.pif"
# Content-Transfer-Encoding: base64
# Content-Disposition: attachment; filename="www.paypal.com.pif"

How do I write a rule?


David M. Hennessey
Office of the Deputy CIO
U.S. International Trade Commission
500 E. Street, SW
Washington, DC 20436
202-205-2518 Fax: 202-205-2024
E-mail: dhennessey@usitc.gov
RE: Rules for File Attachments in multipart/mixed ?? [ In reply to ]
prandal at herefordshire
Feb 19, 2004, 9:02 AM
Post #2 of 4 (1109 views)
Permalink
Maybe you could hand over that task to something like MailScanner
(http://www.mailscanner.info). It does the job for us.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Dave Hennessey
> Sent: 19 February 2004 15:57
> To: spamassassin-users@incubator.apache.org
> Subject: Rules for File Attachments in multipart/mixed ??
>
>
> Hi!
>
> I'd like mark messages which contain .SCR .PIF .BAT .COM file
> attachments as
> Spam, and reject them before they enter our mail system.
>
> Yes, I know that SA is not a Virus Scanner, but there is no
> reason that any
> valid message should contain them.
>
> I've tried - in vain - to write a rule for this.
>
> It appears that SA will look in the message header, but won't
> look in the
> headers for each part of a multipart/mixed.
>
> Or am I doing something horribly wrong (most likely)???
>
> Here's an example of one part of a multipart/mixed:
>
> # Content-Type: application/octet-stream; name="www.paypal.com.pif"
> # Content-Transfer-Encoding: base64
> # Content-Disposition: attachment; filename="www.paypal.com.pif"
>
> How do I write a rule?
>
>
> David M. Hennessey
> Office of the Deputy CIO
> U.S. International Trade Commission
> 500 E. Street, SW
> Washington, DC 20436
> 202-205-2518 Fax: 202-205-2024
> E-mail: dhennessey@usitc.gov
>
>
Re: Rules for File Attachments in multipart/mixed ?? [ In reply to ]
lists at timj
Feb 19, 2004, 9:07 AM
Post #3 of 4 (1087 views)
Permalink
Hi Dave, on Thu, 19 Feb 2004 15:57:20 +0000 (UTC) you wrote:

> I'd like mark messages which contain .SCR .PIF .BAT .COM file
> attachments as Spam, and reject them before they enter our mail system.

You'd be much better doing this with some software which is MIME-aware
rather than in SpamAssassin (even if you could get out the info you need).

If you use Exim, you can use Exiscan to reliably reject 'bad extensions'.
I don't know about other mail servers, but you can probably use other
software such as MailScanner to devnull it if you can't do it at MTA
level.


Tim
Re: Rules for File Attachments in multipart/mixed ?? [ In reply to ]
inst_karma at hotmail
Feb 19, 2004, 10:16 PM
Post #4 of 4 (1087 views)
Permalink
Put the directive:

score MICROSOFT_EXECUTABLE 5.0

in your local.cf file.

If you want something more fine-tuned than that, then it can't be done,
I'm sorry to report - see the thread in this list 'MyDoom E-mail' for
the gruesome details.

Dave Hennessey wrote:
> Hi!
>
> I'd like mark messages which contain .SCR .PIF .BAT .COM file attachments as
> Spam, and reject them before they enter our mail system.
>
> Yes, I know that SA is not a Virus Scanner, but there is no reason that any
> valid message should contain them.
>
> I've tried - in vain - to write a rule for this.
>
> It appears that SA will look in the message header, but won't look in the
> headers for each part of a multipart/mixed.
>
> Or am I doing something horribly wrong (most likely)???
>
> Here's an example of one part of a multipart/mixed:
>
> # Content-Type: application/octet-stream; name="www.paypal.com.pif"
> # Content-Transfer-Encoding: base64
> # Content-Disposition: attachment; filename="www.paypal.com.pif"
>
> How do I write a rule?
>
>
> David M. Hennessey
> Office of the Deputy CIO
> U.S. International Trade Commission
> 500 E. Street, SW
> Washington, DC 20436
> 202-205-2518 Fax: 202-205-2024
> E-mail: dhennessey@usitc.gov
>
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal