> > > > It's been a while since I've seen a password-protected zip or PDF, but I > got one today that wasn't tagged and was hoping someone might have some > ideas. > > https://pastebin.com/msPCQHyD <https://pastebin.com/msPCQHyD> > > > > I've created some basic body and attachment rules, but would be > interested in hearing thoughts (either directly or using the above to > improve your own rules) from others about how to block them. > > > > At the least, it should have been identified by clamav. > > > That email hits SEM_FRESH and GMD_PDF_ENCRYPTED (this needs > Mail::SpamAssassin::Plugin::PDFInfo), it seems a good start for a meta rule. >
It looks like the KAM rules are killing that rule here? $ grep GMD_PDF_ENCRYPTED * KAM.cf: meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2) KAM_deadweight3.cf:score GMD_PDF_ENCRYPTED 0
