LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-11-2017, 10:49 AM   #1
mfoley
Senior Member
 
Registered: Oct 2008
Posts: 1,119

Rep: Reputation: 101Reputation: 101
Spamassassin missing .7z files in local.cf rule


I have the following rules defined in local.cf
Code:
mimeheader LOCAL_7Z_ATTACHED1 Content-Type =~ /\.7z/i
describe LOCAL_7Z_ATTACHED1 email contains a 7z file attachment
score LOCAL_7Z_ATTACHED1 2.5

mimeheader LOCAL_7Z_ATTACHED2 Content-Disposition =~ /\.7z/i
describe LOCAL_7Z_ATTACHED2 email contains a 7z file attachment
score LOCAL_7Z_ATTACHED2 2.5
Yet spamassassin is not catching emails with .7z attachments. Here is an example of a message containing such an attachment:
Code:
From Karin.Mother.HsI@persianpad.com Wed Oct 11 06:45:12 2017
Return-Path: <Karin.Mother.HsI@persianpad.com>
Received: from [42.114.229.71] ([42.114.229.71])
        by mail.hprs.local (8.15.2/8.15.2) with ESMTP id v9BAjAjx008954
        for <ccarter@ohprs.org>; Wed, 11 Oct 2017 06:45:11 -0400
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.99.2 at mail
From: Karin Mother <Karin.Mother.HsI@persianpad.com>
To: (local user)
Subject: Supplement payment 248834596
Thread-Topic: Supplement payment 248834596
Date: Wed, 11 Oct 2017 17:45:05 +0700
Message-ID: <418CEC5061165CACD2F1BEB58A14987D768E6DE7@190CA231.persianpad.com>
Accept-Language: en-US
Content-Language: en-US
X-Spam-Status: No, score=2.5 required=3.0 tests=BAYES_50,FROM_WORDY,
        HELO_MISC_IP,RDNS_NONE autolearn=no autolearn_force=no
        version=3.4.1-_revision__1.24__
X-Spam-Report:
        *  1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4500]
        *  0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
        *  0.2 HELO_MISC_IP Looking for more Dynamic IP Relays
        *  0.0 FROM_WORDY From address looks like a sentence
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.1-_revision__1.24__ (2015-04-28) on
        mail.hprs.local
Status: R

--_002_418CEC5061165CACD2F1BEB58A14987D768E6DE7190CA231persianpad.com_  
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

        
        
This E-mail is confidential

Internet communications cannot be guaranteed to be timely secure, error or
virus-free. The sender does not accept liability for any errors or
ommisions.



--_002_418CEC5061165CACD2F1BEB58A14987D768E6DE7190CA231persianpad.com_
Content-Type: application/octet_stream; name="F248834596_11102017.7z"
Content-Description: F248834596_11102017.7z
Content-Disposition: attachment; filename="F248834596_11102017.7z";
Content-Transfer-Encoding: base64
Obbiously, I have my rule(s) defined wrong. Can someone straighten me out?

Last edited by mfoley; 10-11-2017 at 10:50 AM.
 
Old 10-12-2017, 08:28 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,891

Rep: Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608
Quote:
I have the following rules defined in local.cf

mimeheader LOCAL_7Z_ATTACHED1 Content-Type =~ /\.7z/i
describe LOCAL_7Z_ATTACHED1 email contains a 7z file attachment
score LOCAL_7Z_ATTACHED1 2.5

mimeheader LOCAL_7Z_ATTACHED2 Content-Disposition =~ /\.7z/i
describe LOCAL_7Z_ATTACHED2 email contains a 7z file attachment
score LOCAL_7Z_ATTACHED2 2.5

Yet spamassassin is not catching emails with .7z attachments. Here is an example of a message containing such an attachment:
The 1st rule (and I guess the 2nd also) work only for .7z file attachments.

In your case the mail you got, has the .7z file added inline (not as attachment). I've seen these mails recently too...
In this case, you clould use:
Code:
rawbody INLINE_7Z_ATTACHED2 /Content-Disposition: attachment; filename=.+.7z/i
describe INLINE_7Z_ATTACHED2 email contains a 7z inline attachment
score INLINE_7Z_ATTACHED2 2.5
 
1 members found this post helpful.
Old 10-12-2017, 09:21 PM   #3
mfoley
Senior Member
 
Registered: Oct 2008
Posts: 1,119

Original Poster
Rep: Reputation: 101Reputation: 101
Thanks. I've added your rule to my local.cf. I didn't know about the in-line mechanism. I'll run this for a while and see what happens.
 
Old 10-13-2017, 03:20 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,891

Rep: Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608
Quote:
Originally Posted by mfoley View Post
Thanks. I've added your rule to my local.cf. I didn't know about the in-line mechanism. I'll run this for a while and see what happens.
I doubt that you'll see this again.
It was most likely an error of the spamming bot software. Instead of attach the 7z file, it dumped it into the message body.
 
Old 10-24-2017, 02:25 PM   #5
mfoley
Senior Member
 
Registered: Oct 2008
Posts: 1,119

Original Poster
Rep: Reputation: 101Reputation: 101
So far, you're right. I haven't seen an inline 7z file since this post. I have trapped numerous actual attachments though. I'll consider this solved.
 
  


Reply

Tags
rules, spamassassin


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
spamassassin: how can I replace my local.cf file (deleted accidentally). boxb29 Linux - Server 1 08-16-2009 01:46 PM
Questions about setting a Spamassassin Rule combilli Linux - Software 1 11-02-2006 04:50 PM
spamassassin rule based on message lenght? Red Squirrel Linux - Software 0 08-30-2005 10:41 PM
spamassassin AWL rule Red Squirrel Linux - Software 2 05-23-2005 10:47 PM
spamassassin: makefile missing separator Andreja Linux - Software 1 05-31-2004 11:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration