Mailing List Archive

rule for docx o xlsx
Hi list , happy holidays to all, I am trying to make this rule work
that a friend wrote in github, to be able to give a high score to
documents sent from different countries, like pakistan, china or india
, I have it in my spamassassin and I do not see it working, to see if
someone on the list helps me improve it

RuleWordORExcel.cf

mimeheader __MIME_WORDOREXCEL Content-Type =~ /msword|excel/i
header __RELAYCOUNTRY_SPAMMY
X-Relay-Countries=~/^(RU|CN|AR|AE|CG|FR|IR|KI|PK|AU|BS|BE|BO|BT|AI|AO|BR|KH|CL|CO|CK|CU|DM|EC|US)/i

meta WORDEXCEL_SPAMMYCOUNTRY __MIME_WORDOREXCEL && __RELAYCOUNTRY_SPAMMY
describe WORDEXCEL_SPAMMYCOUNTRY Spammy country and word/excel file
score WORDEXCEL_SPAMMYCOUNTRY 2.0


meta OLEMACRO_SPAMMYCOUNTRY OLEMACRO && __RELAYCOUNTRY_SPAMMY
describe OLEMACRO_SPAMMYCOUNTRY Spammy country and Office doc with Macro
score OLEMACRO_SPAMMYCOUNTRY 2.0

This is a test from gmail, sending a word file to an account.

https://pastebin.com/bmRq7v7h

regards


--
rickygm

http://gnuforever.homelinux.com
Re: rule for docx o xlsx [ In reply to ]
On Mon, 17 Dec 2018 13:18:12 -0600
Rick Gutierrez wrote:

> Hi list , happy holidays to all, I am trying to make this rule work
> that a friend wrote in github, to be able to give a high score to
> documents sent from different countries, like pakistan, china or india
> , I have it in my spamassassin and I do not see it working, to see if
> someone on the list helps me improve it
>
> RuleWordORExcel.cf
>
> mimeheader __MIME_WORDOREXCEL Content-Type =~ /msword|excel/i
...
> https://pastebin.com/bmRq7v7h



Content-Type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document,

doesn't contain msword|excel
Re: rule for docx o xlsx [ In reply to ]
Rick Gutierrez skrev den 2018-12-17 20:18:

> https://pastebin.com/bmRq7v7h

why not block it with default clamav installs ?

spamassassin is not a virus scanner or macro detector, i still have not
seen rules in mimedefang or amavisd, or canit, and other tools support
deep content scanners in spamassassin

just my one €
Re: rule for docx o xlsx [ In reply to ]
On Mon, 17 Dec 2018, RW wrote:

> On Mon, 17 Dec 2018 13:18:12 -0600
> Rick Gutierrez wrote:
>
>> Hi list , happy holidays to all, I am trying to make this rule work
>> that a friend wrote in github, to be able to give a high score to
>> documents sent from different countries, like pakistan, china or india
>> , I have it in my spamassassin and I do not see it working, to see if
>> someone on the list helps me improve it
>>
>> RuleWordORExcel.cf
>>
>> mimeheader __MIME_WORDOREXCEL Content-Type =~ /msword|excel/i
> ...
>> https://pastebin.com/bmRq7v7h
>
>
>
> Content-Type:
> application/vnd.openxmlformats-officedocument.wordprocessingml.document,
>
> doesn't contain msword|excel

Not to mention that rule doesn't match "Application/OCTET-STREAM"

All too often I see mail clients use the catch-all MimeTyping of
"Application/OCTET-STREAM' and assume the recipient will 'do the right thing'
based on the file extension.



--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: rule for docx o xlsx [ In reply to ]
El lun., 17 dic. 2018 a las 13:40, RW (<rwmaillists@googlemail.com>) escribió:

>
> Content-Type:
> application/vnd.openxmlformats-officedocument.wordprocessingml.document,
>
> doesn't contain msword|excel

Hi RW , you suggest me to make the modification?



--
rickygm

http://gnuforever.homelinux.com
Re: rule for docx o xlsx [ In reply to ]
El lun., 17 dic. 2018 a las 14:22, Benny Pedersen (<me@junc.eu>) escribió:

>
> why not block it with default clamav installs ?
>
> spamassassin is not a virus scanner or macro detector, i still have not
> seen rules in mimedefang or amavisd, or canit, and other tools support
> deep content scanners in spamassassin
>
> just my one €

Hi Benny, I am not an expert in amavisd, but I have installed a few
and in the official documentation you can block this type of files or
extension, but I would do it general and not on a certain pattern.


--
rickygm

http://gnuforever.homelinux.com
Re: rule for docx o xlsx [ In reply to ]
Rick Gutierrez skrev den 2018-12-19 18:44:

> Hi Benny, I am not an expert in amavisd, but I have installed a few
> and in the official documentation you can block this type of files or
> extension, but I would do it general and not on a certain pattern.

i repeat, spamassassin cant test things in deep file content scanning,
we loose

one way to solve is:

configure clamav-milter to accept all virus detected in clamav
make spamas-milter reject pattern for macro virus detected in clamav
and still reject virus in spamas-milter

or make a bug report to clamav-milter for more policy accept quarantine
reject rules

by adding more 3dr party clamav signatures one dont need spamassassin
:=)

the above is only possible if clamav multer is done before spamas-milter

if other tools is used it require more work to make work