On Tue, 08 Jul 2014 21:03:35 -0400
"Kevin A. McGrail" <kmcgr...@pccc.com> wrote:
> So this sounds like you are searching the entire email for this
> string which just sounds inefficient especially if they use some big
> attachments.
It's not too bad because the regex is simple.
> Since I'm guessing you are using MD, wouldn't something like this be
> better? Untested, but based on some code for looking for rar files
> masquerading as zip files:
Yes, looking at file signatures (à la "file(1)") would be more robust.
> if (uc($header) eq "MZ") {
You don't want the uc(); that could lead to false-positives, but yes,
the idea is correct.
The reason I did it with a SpamAssassin rule is that we have ways to
push out SpamAssassin rules easily to our customers, but not so much
code changes. :)
The rule hits on surprisingly few messages (only two out of a couple of
million so far), but it's not terribly accurate: One false-positive caused
by a stupid base-64 encoder that leaves extra newlines between lines,
and one sort-of-false-positive that was a DLL renamed to .DAT to sneak
past filename extension blocks, but wasn't otherwise malicious.
Regards,
David.
