On Wed, 30 Mar 2016, Alex wrote:
Hi,
I'd like to assign a spamassassin score to received word documents
(doc,docx,xls,xlsx) so they are quarantined on my UTM. I've tried the
following which doesn't work. Can someone show me an example that should
work?
mimeheader DOC_ATTACHED Content-Type =~ /doc/i
describe DOC_ATTACHED email contains a DOC file attachment
score DOC_ATTACHED 12.5
If you're just going to block them outright, you'd probably be better
served doing it in your MTA. Assuming you're using postfix?
/^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.doc"?;?$/
REJECT
I believe something like this would work in spamassassin:
mimeheader DOC_ATTACHED Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
score DOC_ATTACHED 12.5
This may catch some documents but MS products key almost entirely on the file
name extension.
So the content type header may be "application/octet-stream" and totally missing
a 'name=' component but if there's also a Content-Disposition header that has a
'filename=' component it will trigger file opening behaivor.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
