Hello,
Thanks for creation of Spam-Assassin. It is a great tool that really cuts
down the amount of junk mail I get. Great work!
There is one feature (ruleset) that I would like to see added:
_Very_simple_ malware (virus/worm/etc.) detection based on filenames. I
am not talking about fancy code analysis for all types of OS and machine
architectures (which is definitly a huge project in its own and requires
lots of manpower to keep up to date). What I want is, that Spam-Assassin
recognizes 'creative' filenames in attachments like "coolimage.jpg.exe"
or "nicesound.mid.cmd" that are designed to lure people on Windows
systems (which offers the dangerous feature to hide the extensions of
known file types, making the file names appear as "coolimage.jpg" or
"nicesound.mid") to doubleclick on the attachment meaning to view the
image or hear the tune while in reality starting an program (which then
usually does something nasty).
There are three cases that I would want treated:
1) The simple case as above "coolimage.jpg.exe"
2) You can also hide the extension using lots of white space, as in
"nicesound.mid <lots of white space here> .cmd". Many programs
don't display the full filename, but will display only "nicesound.mid"
plus lots of white space (which give no visual hint) and maybe a "..."
somewhere at the end of the line far, far away from the users field
of vision (and center of attention).
3) 'Creative' use of the Content-Type of an attachment like:
(where the name may or may not be on the same line as the Content-Type
tag, lots of space might be used to indet the name if it is on a seperate
line)
This too causes many programs to display a generic sound icon for the
attachment, while a doubleclick obviously starts a program ;(
Of course all these 3 types are not strictly illegal and could in theory
also appear in ham, but I dare say that they are strong indications for
emails that try to trick people into running programs that they did not
really intend to run.
All three tricks work only against Windows machines and are not dangerous
for users of other operating systems, but even as a Linux user I am very
annoyed if I have to sort out all this junk.
I am aware that this feature is not directed against spam-mail in the usual
meaning of the word, but it is directed against "something that I definitly
don't want in my inbox", so I would like to ask you to include this feature
in Spam Assassin.
Valid extensions for Windows programs files (that should be found) are:
.com, .exe, (machine programs)
.scr (Screen Saver, just a regular machine program with a fancy name)
.bat, .cmd, (shell scripts / batch files)
.pif, (program information file, obsolete, but still works to run a prg.)
.vbs, .vbe, (visual basic, requires office but thats frequent
enough to be used)
.js, .jse, (java)
.wsf, .wsh, (Windows scripting file)
.ocx (ActiveX-control)
.msc (Microsoft System Console configuration plugin)
possibly others...
File Types that might be used to disguise the programs:
Images:
.bmp, .wbmp, .gif, .jpeg, .jpg, .png, .ico, .img,
.j2k, .jp2, .psd, .psp, .sgi, .tif, .tiff, .tga
Movie:
.avi, .mov, .mpg, .mpeg, .qt
Sounds:
.aif, .aiff, .snd, .mp3, .wav, .mid, .midi, .ogg
Office:
.doc, .dot, .xls, .xlt, .pps, .ppt,
Text:
.txt, .htm, .html, .pdf, .rtf
Archives:
.arc, .arj, .gz, .hqx, .sit, .zip, .z,
.lzh, .tar, .tgz, .uue, .uu
possibly others...
Don't block all files with multiple extensions. They are too common in ham!
Content Types that might be used to disguise programs:
C
C
C
C
possibly everything but
C
I am sorry to say that I am not good enough with Perl to come up which a
ruleset myself, but I would like to encourage you to create such a set.
Yours,
Roland Lieger
[EMAIL PROTECTED]
My feeble attempts for a ruleset...
body DISGUISED_PROGRAM
/\.(gif|jpg|jpeg|png|ico|img|tif|tiff|bmp|wbmp|j2k|jp2|psd|psp|sgi|
avi|mov|mpg|mpeg|qt|
aif|aiff|snd|mp3|ogg|wav|mid|midi|
doc|dot|xls|xlt|pps|ppt|
txt|htm|html|pdf|rtf|
arc|arj|gz|hqx|sit|zip|z|lzh|tar|tgz|uue|uu)\s{0,40}\.
(com|exe|src|bat|cmd|pif|vbs|vbe|js|jse|wsf|wsh|ocx|msc)\b/i
describe DISGUISED_PROGRAM Uses a strange filename/extension to trick you
into running a program
body MISLEADING_CONTENTTYPE
/Content-Type.{0,4}(image|audio|video|text)\s{0,30}name.{0,5}\.
(com|exe|src|bat|cmd|pif|vbs|vbe|js|jse|wsf|wsh|ocx|msc)\b/i
describe MISLEADING_CONTENTTYPE Misleading Content-Type chosen to trick you
into running a program
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
