Blocking cannibalized spam/virus mail with password-protected attachments

[Nikolaos Milas]

On 22/12/2020 10:24 π.μ., Nikolaos Milas wrote:

> Can you please suggest ways in which we can configure amavis so as to 
> recognize and drop this kind of mail?

Another, probably better, approach would be to add to amavis a scan rule 
like:

If body contains text like:

    Password archivio: XXXX
    -or-
    Archive pass: XXXX

    [where XXXX is a 3- or 4-digit number]

...followed by any number of spaces and/or end-of-line characters and 
then by the exact Sender name, then send to quarantine.

That, because all such mails include in the body the following 
(injected) text:

    Password archivio: 851


    The_exact_Sender_name
    The_original_sender_email (i.e. not the changed one)

Can someone please compose such a rule and guide me how to add it to amavis?

Cheers,
Nick