Hi all, I'm using custom Yara rules to detect many kind of spam directed to my customers, it's very effective and gives me many ways to intercept localized messages (i.e.: spam in italian and french).
Lately those spammers are using base64 encoding in Subject: and body part, making ineffective my rules. I need to match some headers and the body part, because i don't want to generate false positives. I do some tests and i think that clamav is using this yara\pcre engine only on the "original" message and then in every single message part (excluding the mail headers), so if I want to run my rules on the decoded body I have to give up on headers check and vice-versa (due the base64 encoded body on original message). Is there a way to decode the original message before scan, or something which permits to run the yara engine on decoded message? (I'm also RTFM'ing in amavisd-new, maybe with a custom filter...) Thanks. k. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
