Get spamassassin to drop emails containing a specific REGEX in attached filenames

Question

newbie asking first question :)

I'm running a mail server (Ubuntu/Postfix/Dovecot) with SpamAssassin. Most of the known spam is flagged (RBLs, and obvious UCE) except for this particular malspam in attached zip files like "order_info_654321.zip", "paymet_document_123456.zip", and so on, when it doesn't fit any other SA rules. I'd like to procure a rule which drops the matching offenders into oblivion.

After fiddling with regex101.com, I've come up with an expression that matches these patterns exclusively:

/\w+[_][0-9]{6}.zip$/img

Question is... How to format it all, get it to work, and where to put it? So far, I edited /etc/spamassassin/local.cf, added this to the bottom, and restarted:

mimeheader TROJAN_ATTACHED Content-Type =~ /\w+[_][0-9]{6}.zip$/img
describe ZIP_ATTACHED email contains a zip trojan attachment
score TROJAN_ATTACHED 99.

But it doesn't seem to do the magic. Where else can I look for this?

Thank you all, Keijo.-

score 2 · Answer 1 · answered Mar 29 '16 at 22:59

First up, SA doesn't drop e-mails by default, but it can score them so high on spam content that they don't show up to anyone's inbox. Second, the "ingredients" I started with were incorrect, plus messed up with SA ability to function at all.

This actually did the trick when added into/etc/spamassassin/local.cf:

full TROJAN_ZIPUNDS /\w*[_][\d]{1,6}\.zip/img
score TROJAN_ZIPUNDS 99
describe TROJAN_ZIPUNDS RM zip attached trojan underscore

Even though these spammers altered from zip to rar, to underscores to dashes, different filenames, and so on, creating rules to counter them became simple after succeeding with the first one. Here's what I added too:

full TROJAN_RARDASH /\w*[-][\d]{1,6}\.rar/img
score TROJAN_RARDASH 99
describe TROJAN_RARDASH RM rar attached trojan dash

Also, as first described, I needed to specifically block certain zip file names which soon morphed to rar and dashes, so, morphing the regex and appending as a rule triad to spamassassin's local.cf (and restarting) is currently holding, until next spam wave :-)

Finally, this is a very very blunt workaround, so anyone with expertise on the subject is more than welcome to chime in.

score 2 · Answer 2 · answered Jan 11 '17 at 18:59

You have a wrong regex. You do not need a $ char at the end, because filename strings are not necessarily at the end of the Content-Type header. Instead, you can use a word boundary \b anchor. In my rules, I have the following, and it perfectly works:

mimeheader MIME_FAIL   Content-Type =~ /\.(ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh|reg)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   5

score 0 · Answer 3 · answered May 19 '16 at 17:53

You are using the wrong mime header to check for the filename. Use this instead:

 mimeheader TROJAN_ATTACHED Content-Disposition =~ /\w+[_][0-9]{6}.zip/img

Also make sure you have the MimeHeader plugin loaded.

loadplugin Mail::SpamAssassin::Plugin::MIMEHeader

Get spamassassin to drop emails containing a specific REGEX in attached filenames

3 Answers3