I wanted to write a rule to block emails with certain file attachments like
PIF, SCR, EXE... Kind of a poor man's AVS.
But I couldn't figure out how to do it. Seems like the rawbody tests exclude
the Mime headers from regexp pattern matching.
SOOO I hacked EvalTests.pm and made it work. May not be elegant, and there's
probably a simpler solution - BUT it does work. Here's what I did:
1) sub _check_mime_header {
At the very bottom, add:
if ($name && $ctype eq "application/octet-stream") {
# MIME_BAD_FILE_ATTACH triggered here
$name =~ s/.*\.//;
if (
($name eq "pif") ||
($name eq "scr") ||
($name eq "bat") ||
($name eq "com") ||
($name eq "exe")
)
{
$self->{mime_bad_file_attach} = 1;
}
}
2) sub _check_attachments {
In the #results area, add near things like it
$self->{mime_bad_file_attach} = 0;
3) In one of your rules, add:
rawbody MIME_BAD_FILE_ATTACH eval:check_for_mime('mime_bad_file_attach')
describe MIME_BAD_FILE_ATTACH PIF/SCR/BAT/COM/EXE file attached
score MIME_BAD_FILE_ATTACH 200.00
P.S.
We run SA under milter-spamd on our incoming relay.
If you run sendmail, check out Anthony Howe's wonderful milter-ware at
http://www.snert.com/Software/index.html
PIF, SCR, EXE... Kind of a poor man's AVS.
But I couldn't figure out how to do it. Seems like the rawbody tests exclude
the Mime headers from regexp pattern matching.
SOOO I hacked EvalTests.pm and made it work. May not be elegant, and there's
probably a simpler solution - BUT it does work. Here's what I did:
1) sub _check_mime_header {
At the very bottom, add:
if ($name && $ctype eq "application/octet-stream") {
# MIME_BAD_FILE_ATTACH triggered here
$name =~ s/.*\.//;
if (
($name eq "pif") ||
($name eq "scr") ||
($name eq "bat") ||
($name eq "com") ||
($name eq "exe")
)
{
$self->{mime_bad_file_attach} = 1;
}
}
2) sub _check_attachments {
In the #results area, add near things like it
$self->{mime_bad_file_attach} = 0;
3) In one of your rules, add:
rawbody MIME_BAD_FILE_ATTACH eval:check_for_mime('mime_bad_file_attach')
describe MIME_BAD_FILE_ATTACH PIF/SCR/BAT/COM/EXE file attached
score MIME_BAD_FILE_ATTACH 200.00
P.S.
We run SA under milter-spamd on our incoming relay.
If you run sendmail, check out Anthony Howe's wonderful milter-ware at
http://www.snert.com/Software/index.html