Blocking cannibalized spam/virus mail with password-protected attachments
Matus UHLAR - fantomas
uhlar at fantomas.sk
Thu Jan 14 10:57:13 CET 2021
On 13.01.21 20:55, Nikolaos Milas wrote:
>How could I modify the above to also capture the text "Archiv
>Passwort: 9999"
>
>Would the following work?
>
>body __ARCHIVE_PASSWORD_1 /pass(word|wort)? archiv(e|io)?:/i
>body __ARCHIVE_PASSWORD_2 /archiv(e|io)? pass(word|wort)?:/i
>meta ARCHIVE_PASSWORD __ARCHIVE_PASSWORD_1 || __ARCHIVE_PASSWORD_2
>describe ARCHIVE_PASSWORD provides archive password
>score ARCHIVE_PASSWORD 5
>
>Sorry, I am struggling through these...
it should, although this belongs more to spamassassin users list.
"(" could be replaced by "(?:" to spare some CPU cycles.
you can also feed the mail to "spamassassin -d", it should show you if it
loaded those meta rules.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
More information about the amavis-users
mailing list