bagle SpamAssassin rule [SCANNED]

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Wed Mar 3 22:30:25 GMT 2004 

Le mer 03/03/2004 à 17:22, David Vosburgh a écrit :
> Dave's List Addy wrote:
> 
> >On 3/3/04 9:31 AM, "Dustin Baer" wrote:
> >
> >
> >
> >>For those of you who want to try to catch these with SpamAssassin, I
> >>think the following should work:
> >>
> >>body     BAGLE_PASSWORD /password.*[0-9]{4,}/i
> >>describe BAGLE_PASSWORD Password.*numbers
> >>score    BAGLE_PASSWORD 6.5
> >>
> >>If anyone has a better suggestion, let us know!
> >>
> >>
> >
> >Has anyone found this to work? We can't upgrade as of yet to the latest MS
> >since we did a apt-get install :( Will know better next time :)
> >
> I tried it briefly but was getting more false positives than legitimate
> hits.  The problem seemed to be primarily caused by phone numbers
> (specifically, the last four digits) included in the senders signature
> coming after "password".  That ".*" is pretty aggressive ;-).

Agreed.

That's why I have the following:
describe UDES_VIRUS01 Bagle virus
full     UDES_VIRUS01 /^(archive\s+)?password((\s+for\s+archive)?:|\s+--)\s+\d{5}/i
score    UDES_VIRUS01 100
describe UDES_VIRUS02 Bagle virus
full     UDES_VIRUS02 /^Attached\s+file.*protected\s+with.* Password\s+is\s+\d{5}\./i
score    UDES_VIRUS02 100
describe UDES_VIRUS03 Bagle virus
full     UDES_VIRUS03 /^For\s+security\s+purposes.*password\s+protected\.\s+Password\s+is\s+\"\d{5}\"\./i
score    UDES_VIRUS03 100
describe UDES_VIRUS04 Bagle virus
full     UDES_VIRUS04 /^In\s+order\s+to\s+read.*following\s+password:\s+\d{5}\./i
score    UDES_VIRUS04 100
describe UDES_VIRUS05 Bagle virus
full     UDES_VIRUS05 /^\d{5}\s+--\s+archive\s+password/i
score    UDES_VIRUS05 100
describe UDES_VIRUS06 Bagle virus
full     UDES_VIRUS06 /^\.\.btw,\s+\"\d{5}\"\s+is\s+a\s+password\s+for\s+archive/i
score    UDES_VIRUS06 100

I've created them from the messages I received and quarantined.  So far,
my SA rules didn't register anything 8-)

Denis
-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045

More information about the MailScanner mailing list