Jay Hall wrote:
I am experiencing a problem with one of my rules that I cannot seem to find.
I have the following rules defined.
rawbody __RAW_EXE_ATTACHMENT /filename=\".*\.exe\"/i rawbody __RAW_VBS_ATTACHMENT /filename=\".*\.exe\"/i rawbody __RAW_COM_ATTACHMENT /filename=\".*\.com\"/i rawbody __RAW_PIF_ATTACHMENT /filename=\".*\.pif\"/i rawbody __RAW_CMD_ATTACHMENT /filename=\".*\.cmd\"/i rawbody __RAW_BAT_ATTACHMENT /filename=\".*\.bat\"/i
meta ATTACHMENT_RULES (__RAW_EXE_ATTACHMENT || __RAW_VBS_ATTACHMENT || __RAW_COM_ATTACHMENT || __RAW_PIF_ATTACHMENT || __RAW_CMD_ATTACHMENT || __RAW_BAT_ATTACHMENT)
score ATTACHMENT_RULES 25.00
Any attachments listed above will be properly identified as and the tests run with the exception of an EXE attachment. A filename with an .exe extension is not flagged.
I have added an additional rule that checks for an .exe
attachment, that
is not part of the meta rule, and I receive the same results. This
leads me to believe there is something wrong with my test for .exe
attachments.
I am running SA 2.64, spamd, and it is invoked from q-mail.
Any suggestions would be greatly appreciated.
Thanks in advance for your assistance.
Jay Hall
How about trying: rawbody ATTACHMENT_RULES /filename=\"?.*\.(?:exe|vbs|com|pif|cmd|bat|cpl|scr)\"?\s*$/i score ATTACHMENT_RULES 25.00
Note: added .cpl and .scr added end-of-line test $ to avoid false positives on things like "example.com contract.doc" made quotes optional
[EMAIL PROTECTED] 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
I changed the rules as you suggested, but e-mails with exe attachments are still not being marked as SPAM. However, others are. Following are the headers from an e-mail sent with an exe attachment.
To: [EMAIL PROTECTED]
Subject: EXE Test 1 - exe
Content-Type: multipart/mixed; boundary="------------050409040702070007040104"
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on mnea-hq.mnea.org
X-Spam-Level:
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.64
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 29 Sep 2004 22:12:44.0170 (UTC) FILETIME=[71AA06A0:01C4A671]
If I am reading the headers correctly, it appears the attachment tests were not done in this case. The file attached to the message was vncviewer.exe.
What additional information should I be looking for to troubleshoot this problem?
Thanks for your help.
Jay
