Blocking cannibalized spam/virus mail with password-protected attachments

[Matus UHLAR - fantomas]

>On 22/12/2020 11:18 π.μ., Matus UHLAR - fantomas wrote:
>
>>spamassassin rule could look like this:
>>
>>body        __ARCHIVE_PASSWORD_1    /pass(word)? archiv(e|io):/i
>>body        __ARCHIVE_PASSWORD_2    /archiv(e|io) pass(word)?:/i
>>meta        ARCHIVE_PASSWORD    __ARCHIVE_PASSWORD_1 || 
>>__ARCHIVE_PASSWORD_2
>>describe    ARCHIVE_PASSWORD    provides archive password
>>score        ARCHIVE_PASSWORD    5
>>
>>note that you might want to use replacetags and optionally fill with 
>>\s? to
>>work around possible whitespace characters

On 22.12.20 12:19, Nikolaos Milas wrote:
>The above set of 5 lines needs to be added in amavisd.conf anywhere as 
>such, or it must be included in some particular block or otherwise?

they are spamassassin rules, so they should be added in spamassassin't
local.cf (maybe amavis users' user_prefs but I prefer local.cf).

>I understand that you have not included the actual (3 or 4 digit) 
>password in the rules. Shouldn't it be added somehow, to reduce risk 
>of false positives?

do those passwords repeat all the time?

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.