[SOLVED] Spamassassin missing .7z files in local.cf rule

I have the following rules defined in local.cf

Code:

mimeheader LOCAL_7Z_ATTACHED1 Content-Type =~ /\.7z/i
describe LOCAL_7Z_ATTACHED1 email contains a 7z file attachment
score LOCAL_7Z_ATTACHED1 2.5

mimeheader LOCAL_7Z_ATTACHED2 Content-Disposition =~ /\.7z/i
describe LOCAL_7Z_ATTACHED2 email contains a 7z file attachment
score LOCAL_7Z_ATTACHED2 2.5

Yet spamassassin is not catching emails with .7z attachments. Here is an example of a message containing such an attachment:

Code:

From Karin.Mother.HsI@persianpad.com Wed Oct 11 06:45:12 2017
Return-Path: <Karin.Mother.HsI@persianpad.com>
Received: from [42.114.229.71] ([42.114.229.71])
        by mail.hprs.local (8.15.2/8.15.2) with ESMTP id v9BAjAjx008954
        for <ccarter@ohprs.org>; Wed, 11 Oct 2017 06:45:11 -0400
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.99.2 at mail
From: Karin Mother <Karin.Mother.HsI@persianpad.com>
To: (local user)
Subject: Supplement payment 248834596
Thread-Topic: Supplement payment 248834596
Date: Wed, 11 Oct 2017 17:45:05 +0700
Message-ID: <418CEC5061165CACD2F1BEB58A14987D768E6DE7@190CA231.persianpad.com>
Accept-Language: en-US
Content-Language: en-US
X-Spam-Status: No, score=2.5 required=3.0 tests=BAYES_50,FROM_WORDY,
        HELO_MISC_IP,RDNS_NONE autolearn=no autolearn_force=no
        version=3.4.1-_revision__1.24__
X-Spam-Report:
        *  1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4500]
        *  0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
        *  0.2 HELO_MISC_IP Looking for more Dynamic IP Relays
        *  0.0 FROM_WORDY From address looks like a sentence
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.1-_revision__1.24__ (2015-04-28) on
        mail.hprs.local
Status: R

--_002_418CEC5061165CACD2F1BEB58A14987D768E6DE7190CA231persianpad.com_  
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

        
        
This E-mail is confidential

Internet communications cannot be guaranteed to be timely secure, error or
virus-free. The sender does not accept liability for any errors or
ommisions.



--_002_418CEC5061165CACD2F1BEB58A14987D768E6DE7190CA231persianpad.com_
Content-Type: application/octet_stream; name="F248834596_11102017.7z"
Content-Description: F248834596_11102017.7z
Content-Disposition: attachment; filename="F248834596_11102017.7z";
Content-Transfer-Encoding: base64

Obbiously, I have my rule(s) defined wrong. Can someone straighten me out?

Quote:

I have the following rules defined in local.cf mimeheader LOCAL_7Z_ATTACHED1 Content-Type =~ /\.7z/i describe LOCAL_7Z_ATTACHED1 email contains a 7z file attachment score LOCAL_7Z_ATTACHED1 2.5 mimeheader LOCAL_7Z_ATTACHED2 Content-Disposition =~ /\.7z/i describe LOCAL_7Z_ATTACHED2 email contains a 7z file attachment score LOCAL_7Z_ATTACHED2 2.5 Yet spamassassin is not catching emails with .7z attachments. Here is an example of a message containing such an attachment:

The 1st rule (and I guess the 2nd also) work only for .7z file attachments.

In your case the mail you got, has the .7z file added inline (not as attachment). I've seen these mails recently too...
In this case, you clould use:

Code:

rawbody INLINE_7Z_ATTACHED2 /Content-Disposition: attachment; filename=.+.7z/i
describe INLINE_7Z_ATTACHED2 email contains a 7z inline attachment
score INLINE_7Z_ATTACHED2 2.5

Thanks. I've added your rule to my local.cf. I didn't know about the in-line mechanism. I'll run this for a while and see what happens.

Quote:

Originally Posted by mfoley Thanks. I've added your rule to my local.cf. I didn't know about the in-line mechanism. I'll run this for a while and see what happens.

I doubt that you'll see this again.
It was most likely an error of the spamming bot software. Instead of attach the 7z file, it dumped it into the message body.

So far, you're right. I haven't seen an inline 7z file since this post. I have trapped numerous actual attachments though. I'll consider this solved.