Blocking cannibalized spam/virus mail with password-protected attachments

[Nikolaos Milas]

On 22/12/2020 11:18 π.μ., Matus UHLAR - fantomas wrote:

> spamassassin rule could look like this:
>
> body        __ARCHIVE_PASSWORD_1    /pass(word)? archiv(e|io):/i
> body        __ARCHIVE_PASSWORD_2    /archiv(e|io) pass(word)?:/i
> meta        ARCHIVE_PASSWORD    __ARCHIVE_PASSWORD_1 || 
> __ARCHIVE_PASSWORD_2
> describe    ARCHIVE_PASSWORD    provides archive password
> score        ARCHIVE_PASSWORD    5
>
> note that you might want to use replacetags and optionally fill with 
> \s? to
> work around possible whitespace characters 

Thank you Matus,

The above set of 5 lines needs to be added in amavisd.conf anywhere as 
such, or it must be included in some particular block or otherwise?

I understand that you have not included the actual (3 or 4 digit) 
password in the rules. Shouldn't it be added somehow, to reduce risk of 
false positives?

Please clarify!

I would like to try that!

Thank you very much for your guidance!
Nick