Blocking cannibalized spam/virus mail with password-protected attachments

Matus UHLAR - fantomas uhlar at
Thu Jan 14 10:57:13 CET 2021

On 13.01.21 20:55, Nikolaos Milas wrote:
>How could I modify the above to also capture the text "Archiv 
>Passwort: 9999"
>Would the following work?
>body        __ARCHIVE_PASSWORD_1 /pass(word|wort)? archiv(e|io)?:/i
>body        __ARCHIVE_PASSWORD_2    /archiv(e|io)? pass(word|wort)?:/i
>describe    ARCHIVE_PASSWORD    provides archive password
>score        ARCHIVE_PASSWORD    5
>Sorry, I am struggling through these...

it should, although this belongs more to spamassassin users list.

"(" could be replaced by "(?:" to spare some CPU cycles.

you can also feed the mail to "spamassassin -d", it should show you if it
loaded those meta rules.

Matus UHLAR - fantomas, uhlar at ;
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

More information about the amavis-users mailing list