On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
> Hi all
>
> How can I create a generic rule to block any e-mail with links to
> dangerous files ?

Easy, just ask those folks related to tools in your mail processing
chain that actually can block mail. SA does not. SA tags mail, it does
not deliver mail in any way, including blocking.


> Like http://****.zip or http://***.exe or ***.doc.exe etc...

A uri rule will be easy to write, to match this. See the docs:
http://spamassassin.apache.org/full/...ssin_Conf.html

An alternative approach would be, to consider using ClamAV with the
SaneSecurity phish sigs. I believe they should catch almost all of
these.

guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

note: i'm not talking about block *attached* files .. (my
qmail-scanner already do this..)
i need a rule to targed as spam e-mail with *links to* dangerous files..

Karsten Bräckelmann escreveu:
> On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
>
>> Hi all
>>
>> How can I create a generic rule to block any e-mail with links to
>> dangerous files ?
>>
>
> Easy, just ask those folks related to tools in your mail processing
> chain that actually can block mail. SA does not. SA tags mail, it does
> not deliver mail in any way, including blocking.
>
>
>
>> Like http://****.zip or http://***.exe or ***.doc.exe etc...
>>
>
> A uri rule will be easy to write, to match this. See the docs:
> http://spamassassin.apache.org/full/...ssin_Conf.html
>
> An alternative approach would be, to consider using ClamAV with the
> SaneSecurity phish sigs. I believe they should catch almost all of
> these.
>
> guenther
>
>
>

Rejaine Monteiro wrote ... (8/1/2008 1:40 PM):
>
> Hi all
>
> How can I create a generic rule to block any e-mail with links to
> dangerous files ?
>
> Like http://****.zip or http://***.exe or ***.doc.exe etc...
This is one I wrote to deal with a large influx of Storm Worm's that got
through once.


uri DANGEROUS_URL /\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i
describe DANGEROUS_URL URL contains executable content
score DANGEROUS_URL 7.5

On Fri, 2008-08-01 at 15:01 -0300, Rejaine Monteiro wrote:
> note: i'm not talking about block *attached* files .. (my
> qmail-scanner already do this..)
> i need a rule to targed as spam e-mail with *links to* dangerous files..

Yes, I did understand that, and that's exactly what I discussed and
referred to. Do you understand my reply?


> Karsten Bräckelmann escreveu:
> > On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
> >
> >> Hi all
> >>
> >> How can I create a generic rule to block any e-mail with links to
> >> dangerous files ?
> >
> > Easy, just ask those folks related to tools in your mail processing
> > chain that actually can block mail. SA does not. SA tags mail, it does
> > not deliver mail in any way, including blocking.
> >
> >
> >> Like http://****.zip or http://***.exe or ***.doc.exe etc...
> >
> > A uri rule will be easy to write, to match this. See the docs:
> > http://spamassassin.apache.org/full/...ssin_Conf.html

Sorry, forgot to mention: Section "Rule Definitions and Privileged
Settings.

Oh well, something like this:

uri L_URI_BADFILEEXT /\.(zip|exe)$/


> > An alternative approach would be, to consider using ClamAV with the
> > SaneSecurity phish sigs. I believe they should catch almost all of
> > these.

guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

OK..
Sorry for my bad english ... Thank you for the tip..!


Karsten Bräckelmann escreveu:
> On Fri, 2008-08-01 at 15:01 -0300, Rejaine Monteiro wrote:
>
>> note: i'm not talking about block *attached* files .. (my
>> qmail-scanner already do this..)
>> i need a rule to targed as spam e-mail with *links to* dangerous files..
>>
>
> Yes, I did understand that, and that's exactly what I discussed and
> referred to. Do you understand my reply?
>
>
>
>> Karsten Bräckelmann escreveu:
>>
>>> On Fri, 2008-08-01 at 14:40 -0300, Rejaine Monteiro wrote:
>>>
>>>
>>>> Hi all
>>>>
>>>> How can I create a generic rule to block any e-mail with links to
>>>> dangerous files ?
>>>>
>>> Easy, just ask those folks related to tools in your mail processing
>>> chain that actually can block mail. SA does not. SA tags mail, it does
>>> not deliver mail in any way, including blocking.
>>>
>>>
>>>
>>>> Like http://****.zip or http://***.exe or ***.doc.exe etc...
>>>>
>>> A uri rule will be easy to write, to match this. See the docs:
>>> http://spamassassin.apache.org/full/...ssin_Conf.html
>>>
>
> Sorry, forgot to mention: Section "Rule Definitions and Privileged
> Settings.
>
> Oh well, something like this:
>
> uri L_URI_BADFILEEXT /\.(zip|exe)$/
>
>
>
>>> An alternative approach would be, to consider using ClamAV with the
>>> SaneSecurity phish sigs. I believe they should catch almost all of
>>> these.
>>>
>
> guenther
>
>
>

On Fri, 1 Aug 2008, Rejaine Monteiro wrote:

> note: i'm not talking about block *attached* files .. (my qmail-scanner
> already do this..)

Oops. I misread your question then.

> i need a rule to targed as spam e-mail with *links to* dangerous files..

Here's what I use:

uri EXECUTABLE_URI /^(?:https?|ftp):\/\/[^\s?]{1,80}\/[^\s?]{1,80}\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i
describe EXECUTABLE_URI Links to an executable file
score EXECUTABLE_URI 3.00


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #6: If you can choose what to bring to a
gunfight, bring a long gun and a friend with a long gun.
-----------------------------------------------------------------------
3 days until the 273rd anniversary of John Peter Zenger's acquittal