On 22/12/2020 10:24 π.μ., Nikolaos Milas wrote:
Can you please suggest ways in which we can configure amavis so as
to recognize and drop this kind of mail?
On 22.12.20 10:39, Nikolaos Milas wrote:
Another, probably better, approach would be to add to amavis a scan
rule like:
If body contains text like:
Password archivio: XXXX
-or-
Archive pass: XXXX
[where XXXX is a 3- or 4-digit number]
...followed by any number of spaces and/or end-of-line characters and
then by the exact Sender name, then send to quarantine.
this should be imho more a spamassassin rule
however, there are many languages in the world, so we'd need to match more
of them.
That, because all such mails include in the body the following
(injected) text:
Password archivio: 851
The_exact_Sender_name
The_original_sender_email (i.e. not the changed one)
Can someone please compose such a rule and guide me how to add it to amavis?
spamassassin rule could look like this:
body __ARCHIVE_PASSWORD_1 /pass(word)? archiv(e|io):/i
body __ARCHIVE_PASSWORD_2 /archiv(e|io) pass(word)?:/i
meta ARCHIVE_PASSWORD __ARCHIVE_PASSWORD_1 ||
__ARCHIVE_PASSWORD_2
describe ARCHIVE_PASSWORD provides archive password
score ARCHIVE_PASSWORD 5
note that you might want to use replacetags and optionally fill with \s? to
work around possible whitespace characters
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
