Rule to block link to *.zip *.exe *.scr ... - SpamAssassin

This is a discussion on Rule to block link to *.zip *.exe *.scr ... - SpamAssassin ; Hi all How can I create a generic rule to block any e-mail with links to dangerous files ? Like http://****.zip or http://***.exe or ***.doc.exe etc......

+ Reply to Thread
Results 1 to 7 of 7

Thread: Rule to block link to *.zip *.exe *.scr ...

  1. Rule to block link to *.zip *.exe *.scr ...


    Hi all

    How can I create a generic rule to block any e-mail with links to
    dangerous files ?

    Like http://****.zip or http://***.exe or ***.doc.exe etc...


  2. Re: Rule to block link to *.zip *.exe *.scr ...

    On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
    > Hi all
    >
    > How can I create a generic rule to block any e-mail with links to
    > dangerous files ?


    Easy, just ask those folks related to tools in your mail processing
    chain that actually can block mail. SA does not. SA tags mail, it does
    not deliver mail in any way, including blocking.


    > Like http://****.zip or http://***.exe or ***.doc.exe etc...


    A uri rule will be easy to write, to match this. See the docs:
    http://spamassassin.apache.org/full/...ssin_Conf.html

    An alternative approach would be, to consider using ClamAV with the
    SaneSecurity phish sigs. I believe they should catch almost all of
    these.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  3. Re: Rule to block link to *.zip *.exe *.scr ...


    note: i'm not talking about block *attached* files .. (my
    qmail-scanner already do this..)
    i need a rule to targed as spam e-mail with *links to* dangerous files..

    Karsten Brńckelmann escreveu:
    > On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
    >
    >> Hi all
    >>
    >> How can I create a generic rule to block any e-mail with links to
    >> dangerous files ?
    >>

    >
    > Easy, just ask those folks related to tools in your mail processing
    > chain that actually can block mail. SA does not. SA tags mail, it does
    > not deliver mail in any way, including blocking.
    >
    >
    >
    >> Like http://****.zip or http://***.exe or ***.doc.exe etc...
    >>

    >
    > A uri rule will be easy to write, to match this. See the docs:
    > http://spamassassin.apache.org/full/...ssin_Conf.html
    >
    > An alternative approach would be, to consider using ClamAV with the
    > SaneSecurity phish sigs. I believe they should catch almost all of
    > these.
    >
    > guenther
    >
    >
    >



  4. Re: Rule to block link to *.zip *.exe *.scr ...


    Rejaine Monteiro wrote ... (8/1/2008 1:40 PM):
    >
    > Hi all
    >
    > How can I create a generic rule to block any e-mail with links to
    > dangerous files ?
    >
    > Like http://****.zip or http://***.exe or ***.doc.exe etc...

    This is one I wrote to deal with a large influx of Storm Worm's that got
    through once.


    uri DANGEROUS_URL /\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i
    describe DANGEROUS_URL URL contains executable content
    score DANGEROUS_URL 7.5


  5. Re: Rule to block link to *.zip *.exe *.scr ...

    On Fri, 2008-08-01 at 15:01 -0300, Rejaine Monteiro wrote:
    > note: i'm not talking about block *attached* files .. (my
    > qmail-scanner already do this..)
    > i need a rule to targed as spam e-mail with *links to* dangerous files..


    Yes, I did understand that, and that's exactly what I discussed and
    referred to. Do you understand my reply?


    > Karsten Br├Ąckelmann escreveu:
    > > On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
    > >
    > >> Hi all
    > >>
    > >> How can I create a generic rule to block any e-mail with links to
    > >> dangerous files ?

    > >
    > > Easy, just ask those folks related to tools in your mail processing
    > > chain that actually can block mail. SA does not. SA tags mail, it does
    > > not deliver mail in any way, including blocking.
    > >
    > >
    > >> Like http://****.zip or http://***.exe or ***.doc.exe etc...

    > >
    > > A uri rule will be easy to write, to match this. See the docs:
    > > http://spamassassin.apache.org/full/...ssin_Conf.html


    Sorry, forgot to mention: Section "Rule Definitions and Privileged
    Settings.

    Oh well, something like this:

    uri L_URI_BADFILEEXT /\.(zip|exe)$/


    > > An alternative approach would be, to consider using ClamAV with the
    > > SaneSecurity phish sigs. I believe they should catch almost all of
    > > these.


    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  6. Re: Rule to block link to *.zip *.exe *.scr ...

    OK..
    Sorry for my bad english ... Thank you for the tip..!


    Karsten Br├Ąckelmann escreveu:
    > On Fri, 2008-08-01 at 15:01 -0300, Rejaine Monteiro wrote:
    >
    >> note: i'm not talking about block *attached* files .. (my
    >> qmail-scanner already do this..)
    >> i need a rule to targed as spam e-mail with *links to* dangerous files..
    >>

    >
    > Yes, I did understand that, and that's exactly what I discussed and
    > referred to. Do you understand my reply?
    >
    >
    >
    >> Karsten Br├Ąckelmann escreveu:
    >>
    >>> On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
    >>>
    >>>
    >>>> Hi all
    >>>>
    >>>> How can I create a generic rule to block any e-mail with links to
    >>>> dangerous files ?
    >>>>
    >>> Easy, just ask those folks related to tools in your mail processing
    >>> chain that actually can block mail. SA does not. SA tags mail, it does
    >>> not deliver mail in any way, including blocking.
    >>>
    >>>
    >>>
    >>>> Like http://****.zip or http://***.exe or ***.doc.exe etc...
    >>>>
    >>> A uri rule will be easy to write, to match this. See the docs:
    >>> http://spamassassin.apache.org/full/...ssin_Conf.html
    >>>

    >
    > Sorry, forgot to mention: Section "Rule Definitions and Privileged
    > Settings.
    >
    > Oh well, something like this:
    >
    > uri L_URI_BADFILEEXT /\.(zip|exe)$/
    >
    >
    >
    >>> An alternative approach would be, to consider using ClamAV with the
    >>> SaneSecurity phish sigs. I believe they should catch almost all of
    >>> these.
    >>>

    >
    > guenther
    >
    >
    >



  7. Re: Rule to block link to *.zip *.exe *.scr ...

    On Fri, 1 Aug 2008, Rejaine Monteiro wrote:

    > note: i'm not talking about block *attached* files .. (my qmail-scanner
    > already do this..)


    Oops. I misread your question then.

    > i need a rule to targed as spam e-mail with *links to* dangerous files..


    Here's what I use:

    uri EXECUTABLE_URI /^(?:https?|ftp):\/\/[^\s?]{1,80}\/[^\s?]{1,80}\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i
    describe EXECUTABLE_URI Links to an executable file
    score EXECUTABLE_URI 3.00


    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    USMC Rules of Gunfighting #6: If you can choose what to bring to a
    gunfight, bring a long gun and a friend with a long gun.
    -----------------------------------------------------------------------
    3 days until the 273rd anniversary of John Peter Zenger's acquittal


+ Reply to Thread