Blocking cannibalized spam/virus mail with password-protected attachments

[Matus UHLAR - fantomas]

>On 22/12/2020 10:24 π.μ., Nikolaos Milas wrote:
>
>>Can you please suggest ways in which we can configure amavis so as 
>>to recognize and drop this kind of mail?

On 22.12.20 10:39, Nikolaos Milas wrote:
>Another, probably better, approach would be to add to amavis a scan 
>rule like:
>
>If body contains text like:
>
>   Password archivio: XXXX
>   -or-
>   Archive pass: XXXX
>
>   [where XXXX is a 3- or 4-digit number]
>
>...followed by any number of spaces and/or end-of-line characters and 
>then by the exact Sender name, then send to quarantine.

this should be imho more a spamassassin rule

however, there are many languages in the world, so we'd need to match more
of them.


>That, because all such mails include in the body the following 
>(injected) text:
>
>   Password archivio: 851
>
>
>   The_exact_Sender_name
>   The_original_sender_email (i.e. not the changed one)
>
>Can someone please compose such a rule and guide me how to add it to amavis?

spamassassin rule could look like this:

body		__ARCHIVE_PASSWORD_1	/pass(word)? archiv(e|io):/i
body		__ARCHIVE_PASSWORD_2	/archiv(e|io) pass(word)?:/i
meta		ARCHIVE_PASSWORD	__ARCHIVE_PASSWORD_1 || __ARCHIVE_PASSWORD_2
describe	ARCHIVE_PASSWORD	provides archive password
score		ARCHIVE_PASSWORD	5

note that you might want to use replacetags and optionally fill with \s? to
work around possible whitespace characters
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.