Bug#854201: bugs.debian.org: please ban mails with .zip attachment (or Windows executables in .zip)

Mon, 06 Feb 2017 08:12:32 -0800 

On Sun, 05 Feb 2017, Adam Borowski wrote:
> In the past months, we're seeing a MASSIVE amount of spam in the BTS that's
> not properly rejected.  Most of what gets through follows the same scheme:
> * a body of text that follows one of a few themes (usually fedex, a parcel,
>   an invoice, court stuff), but is too diverse for a simple rule
> * a single .zip attachment
> * a single Windows executable (.exe, .scr, .wsf, .js, .pif, etc, possibly
>   in ALL CAPS or with MiXeD CaSe) inside

We're already banning almost all of these with rules in spamassassin
which I keep tweaking:

# don 2016-11-04
header FEDEXPACKAGE subject=~/(FedEx International|USPS courier)|((unable 
to|could not) deliver|problems? with).*(item|parcel)|shipment delivery 
problem|delivery notification|USPS delivery/i
describe FEDEXPACKAGE Fedex Package Virus spam
score FEDEXPACKAGE 4

#don 2016-11-04
header SHIPPING_ID subject =~ 
/(ID:?|ID|\#|n\.)\s*\d{7,}\s*($|shipment|delivery)/
describe SHIPPING_ID Contains a long ID number at the end or folled by shipment
score SHIPPING_ID 3

header SHIP_ID_INT subject =~ /(ID:?|ID|\#|n\.)\s*\d{7,}\s*/
describe SHIP_ID_INT Contains a long ID number inside
score SHIP_ID_INT 1

rawbody MSWORD    /application\/msword/
describe MSWORD   Has a word attachment
score MSWORD      2

meta FEDEX_ZIP (FEDEXPACKAGE || SHIPPING_ID || SHIP_ID_INT ) && ( ZIPCOMPRESSED 
|| ZIPFILE || MSWORD )
describe FEDEX_ZIP Fedex package with zip file
score FEDEX_ZIP 7


Suggestions and patches to update these are definitely appreciated.

> If that'd be too disruptive in your opinion, looking inside the .zip
> and banning only Windows executables would be good. It's a very
> unusual to have a reason to attach such a file, and tarballs can do
> that well.

What we actually need is a plugin to call out from spamassassin to
clamav to score messages which contain viruses very highly. Something
along the lines of https://wiki.apache.org/spamassassin/ClamAVPlugin but
which uses the plugin configuration options in SA and ideally is
packaged in Debian.

-- 
Don Armstrong                      https://www.donarmstrong.com

Life would be way easier
if I were easier.
 -- a softer world #473
    http://www.asofterworld.com/index.php?id=473

Reply via email to