My environment includes a firewall mail relay running a product called Gauntlet, followed by a Sendmail Switch mailhub running MimeDefang to call SpamAssassin, then ultimately Exchange( plus some Lotus Notes, GroupWise, UNIX mail, VAX mail and others). Gauntlet, like most commercial virus protection software does not offer the option of discarding virus infected messages; the only option is cleaning. Changing firewall software or routing of mail are not options. When Gauntlet detects a virus infected attachment, it replaces the attachment with a message stating that the virus has been cleaned. It retains the name of the original attachment appending a ".htm" to it as in patch.exe.htm in the example below. Most users cannot recognize the subtle differences between a virus infected message and a cleaned message. This leads to a lot of calls from users thinking they have a virus. I have tried to add rules to make SpamAssassin discard these messages. Below are header, an actual attachment and a couple of rules I have tried. PLEASE HELP with suggestions of rules that can be used to block these messages.
PIECE OF HEADER: Subject: Use this patch immediately ! MIME-Version: 1.0 Content-Type: multipart/mixed;boundary="xxxx" X-Scanned-By: MIMEDefang 2.32 (www . roaringpenguin . com / mimedefang) --xxxx Content-Type: text/plain; Content-Transfer-Encoding: 7bit --xxxx Content-Type: Text/HTML; name="patch.exe.htm" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="patch.exe.htm" X-NAI-Gauntlet-mimepp: Attachment removed --xxxx --xxxx-- ACTUAL ATTACHMENT: <html><head><meta HTTP-EQUIV="Content-Type" content="text/html; charset="> <title>VIRUS INFECTION ALERT</title></head> <body> <h1><font color="#FF0000">VIRUS INFECTION ALERT</font></h1> <p>The Gauntlet Firewall® discovered a virus in this file. The file was not repaired and has therefore been removed. See your system administrator for further information. </p> <p>Filename: patch.exe<br> Virus name: W32/[EMAIL PROTECTED]</p> <p>Copyright © 1993-2001, Networks Associates Technology, Inc.All Rights Reserved.<br> <a href="http://www.pgp.com";>http://www.pgp.com</a></p> </body></html> RULES I TRIED: uri BLACKLIST_URI_3 /(pgp.com|rest of the list removed for example)/i describe BLACKLIST_URI_3 Local Blacklisted URLs score BLACKLIST_URI_3 10 (This works if I remove the attachment and attach it to a test message, but does not work in real life.) header drop_gauntlet X-NAI-Gauntlet-mimepp =~ /removed/ describe drop_gauntlet remove virus warnings score drop_gauntlet 10 (this has never worked) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
