Mailing List Archive: Catching attachments.

Catching attachments.

Mar 9, 2004, 11:30 PM

Post #1 of 6 (1087 views)

I'm trying to catch viral attachments, namely those with the extention scr,
exe, bat, com, pif, etc. The Content-Disposition header to catch the
filename.

I tried it, using a working RegEx which I verified in a testing program, but
SA doesn't pick it up.

Is there an example on how to do this?

-Julian Milano
NoSpamToday using SA on WinNT4 using Exchange 5.5

PS. Sorry to be vague, but my original post was rejected as spam. Here's
what I got back:

Your message was rejected by mail.apache.org for the following reason:

Spam or junk mail threshold exceeded. See
http://www.flame.org/qmail/spamjunk.html (#5.7.1)

The following recipients did not receive this message:

spamassassin-users-info@incubator.apache.org
<mailto:spamassassin-users-info@incubator.apache.org>

Does this happen to anyone else? Imagine! Being flagged as SPAM while trying
to fight it <G>

Re: Catching attachments. [ In reply to ]

mailings02 at ttlexceeded

Mar 10, 2004, 7:57 AM

Post #2 of 6 (1077 views)

Permalink

JulianM@davenport-industries.com.au wrote:

> I'm trying to catch viral attachments, namely those with the extention
> scr, exe, bat, com, pif, etc. The Content-Disposition header to catch
> the filename.

What do you mean by "catch"? Filter, quarantine or scan?

SpamAssassin is probably not your best bet (and the Wiki says so!). Yes,
you can configure rules to detect attachments based on name. No, that's
not effective as a "good" anti-virus measure.

Better would be to:

1. Use an external tool (i.e. clamav) to do an actual scan based on
content, rather than just the stated file name.

or

2. Filter/remove/quarantine all incoming attachments. (Just doing this
based on name is subject to the same limitations.)

There are a couple of other threads going on this same topic that get
into more specifics of how to do this with other tools.

- Bob

Re: [spa] Catching attachments. [ In reply to ]

cgregory at hwcn

Mar 10, 2004, 9:47 AM

Post #3 of 6 (1081 views)

Permalink

On Wed, 10 Mar 2004 JulianM@davenport-industries.com.au wrote:
> I'm trying to catch viral attachments, namely those with the extention scr,
> exe, bat, com, pif, etc. The Content-Disposition header to catch the
> filename.
> I tried it, using a working RegEx which I verified in a testing program, but
> SA doesn't pick it up.
> Is there an example on how to do this?

The trick is, only the 'full' rules will check the attachments.
(Unwrap the test line):

full LOC_DBLEXTONATTACH /name="?[^"]*\.(?:html?|txt|doc|rtf|jpe?g|
gif|wpd|pdf|zip)\.(?:pif|exe|com|cmd|bat|scr)/i

describe LOC_DBLEXTONATTACH Message attachment has VIRUS-style double ext

score LOC_DBLEXTONATTACH 0.5

Note, this is a minimal test and will also catch messages that give
examples of the double extension IN the body of a message, and trigger on
quoted mime headers with double extensions in bounced mail, etc.

- Charles

Re: [spa] Catching attachments. [ In reply to ]

BHaase at good-sam

Mar 10, 2004, 2:57 PM

Post #4 of 6 (1084 views)

Permalink

I use the following command to catch attachments and set the score higher. It works for most executables but doesn't stop .zip attachments.

score MICROSOFT_EXECUTABLE 4.100

-Bryan

>>> Charles Gregory <cgregory@hwcn.org> 03/10/04 10:47AM >>>
On Wed, 10 Mar 2004 JulianM@davenport-industries.com.au wrote:
> I'm trying to catch viral attachments, namely those with the extention scr,
> exe, bat, com, pif, etc. The Content-Disposition header to catch the
> filename.
> I tried it, using a working RegEx which I verified in a testing program, but
> SA doesn't pick it up.
> Is there an example on how to do this?

The trick is, only the 'full' rules will check the attachments.
(Unwrap the test line):

full LOC_DBLEXTONATTACH /name="?[^"]*\.(?:html?|txt|doc|rtf|jpe?g|
gif|wpd|pdf|zip)\.(?:pif|exe|com|cmd|bat|scr)/i

describe LOC_DBLEXTONATTACH Message attachment has VIRUS-style double ext

score LOC_DBLEXTONATTACH 0.5

Note, this is a minimal test and will also catch messages that give
examples of the double extension IN the body of a message, and trigger on
quoted mime headers with double extensions in bounced mail, etc.

- Charles

Re: Catching attachments. [ In reply to ]

mailings02 at ttlexceeded

Mar 11, 2004, 9:44 PM

Post #5 of 6 (1086 views)

Permalink

[.This came to me directly but I assume was meant for the list]

JulianM@davenport-industries.com.au wrote:

> But CAN it be done? If so- how?

Yes, you could run something on a box in front of the exchange box to
filter. Many on this list have done exactly this, though I have not as yet.

> I'm running Exchange V5.5 on WinNT4 and as an EXTRA protection level,
> want to class any emails that come in as SPAM if they have the file
> extentions I'm looking for.

If you simply want to flag all messages with attachments as spam, you
certainly don't need spamassassin. Procmail can do that just fine.
However, keep in mind that you're likely to flag NON-INFECTED messages
with attachments as spam. If your company policy allows attachments,
you're very likely to annoy a LOT of people.

I'm sure there are ways to do all of this with commercial software on
Windows working directly with Exchange, but I do not have the financial
resources to investigate. I'm limited to effective, open solutions.

- Bob

RE: Catching attachments. [ In reply to ]

JulianM at davenport-industries

Mar 11, 2004, 11:58 PM

Post #6 of 6 (1077 views)

Permalink

Bob, and all,

I'm just after a simple solution to my question, which I will re-iterate:

Can I catch incoming messages which contain file attachments with the
extentions scr, exe, pif, etc using a RegEx?

Now, I assume that the answer is YES, so my next question is:

Please show me by way of an example, how to do the above as a rule.

Please, I just want to know how to test attachment filenames using rules in
SA.

Regards,

Julian Milano
IT Manager

Davenport Group
79-81 Coppin Street (PO Box 12) Richmond Victoria 3121
Ph : (613) 8416 6666

Limits of Liability and Disclaimer - Davenport Industries is not liable for
any loss, damages, claims, cost demand and expense whatsoever and howsoever
arising in connection with this email transmission. The receiver of this
transmission shall ascertain the accuracy and suitability of this data for
their purposes. Although computer virus scanning software is used by
Davenport Industries, the receiver shall be responsible for their own virus
protection and Davenport Industries shall not be held liable for and
subsequent loss, damage, cost or expense.

This email and any attachment is confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have
received this email in error you are prohibited from disclosing, copying or
using the information contained in it and please inform us by reply email
and delete.

-----Original Message-----
From: Bob George [mailto:mailings02@ttlexceeded.com]
Sent: Friday, March 12, 2004 3:45 PM
To: spamassassin-users@incubator.apache.org
Subject: Re: Catching attachments.

[.This came to me directly but I assume was meant for the list]

JulianM@davenport-industries.com.au wrote:

> But CAN it be done? If so- how?

Yes, you could run something on a box in front of the exchange box to
filter. Many on this list have done exactly this, though I have not as yet.

> I'm running Exchange V5.5 on WinNT4 and as an EXTRA protection level,
> want to class any emails that come in as SPAM if they have the file
> extentions I'm looking for.

If you simply want to flag all messages with attachments as spam, you
certainly don't need spamassassin. Procmail can do that just fine.
However, keep in mind that you're likely to flag NON-INFECTED messages
with attachments as spam. If your company policy allows attachments,
you're very likely to annoy a LOT of people.

I'm sure there are ways to do all of this with commercial software on
Windows working directly with Exchange, but I do not have the financial
resources to investigate. I'm limited to effective, open solutions.

- Bob