On 2023-02-07 at 05:07:36 UTC-0500 (Tue, 07 Feb 2023 10:07:36 +)
Laurent S. <110ef9e3086d8405c2929e34be5b4...@protonmail.ch>
is rumored to have said:
You could also use check_rbl_headers
THANK YOU!
I had not recalled that feature when I wrote my reply. I'm glad there
are people here whos
Loren Wilton skrev den 2023-02-07 11:43:
I believe 3MB is above the default scan size for SA, so likely it
won't even look at the file.
lets say sender did not know this ?
if it was linux elf i would compiled itself with gcc :)
dont accept precompiled files in email ever
Rupert Gallagher skrev den 2023-02-07 11:15:
https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b
Both SA and ClamAV passed it as legit.
We should have a SA rule that says: "attached file with unknown data
type".
or https://sanesecurity.com/fox
On 2023-02-06 at 12:50:29 UTC-0500 (Mon, 6 Feb 2023 17:50:29 +)
Michael Grant via users
is rumored to have said:
I’m noticing that check_uridnsbl() seems only to check the message
body. Is there some way to make it check the headers as well?
On 06.02.23 16:16, Bill Cole wrote:
No. Which
I believe 3MB is above the default scan size for SA, so likely it won't even
look at the file.
Loren
- Original Message -
From: Rupert Gallagher
To: users@spamassassin.apache.org
Sent: Tuesday, February 07, 2023 2:26 AM
Subject: Re: New rule wanted
Note: Both clie
I've seen this wave too.
You could use such a rule:
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader ONENOTE_ATTACHED Content-Type =~ /\.one[";$]/i
describe ONENOTE_ATTACHED Attached OneNote score ONENOTE_ATTACHED 5.0
end if
Make sure MIMEHeader is loaded. I haven't used that rule in pr
Note: Both client and server are not Windows. The attached file type is a
generic "data" on unix. On a Windows client the file runs as executable. A SA
rule should merely detect that the file type is a generic "data" file.
Original Message
On Feb 7, 2023, 11:15, Rupert Gallagher
I received a spam with score -1. Well written, looks legit commercial, asking
for a quotation, with details in the attachment, a 3MB file with unknown
extension ".one".
The file turns out to be a Windows Trojan:
https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de8
You could also use check_rbl_headers
Add this to init.pre or in your favorite .pre file:
loadplugin Mail::SpamAssassin::Plugin::DNSEval
Then add this rule:
if (version >= 3.004003)
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header HEADERBL_URIBLeval:check_rbl_headers('hdr
