zip only spam

Matt Kettler mkettler at evi-inc.com
Tue Jul 31 18:17:19 IST 2007 

Leland J. Steinke wrote:
> Rob Freeman wrote:
>> I see instead of using pdf spam, they have switched to zip spam.  I
>> have a rule to block the pdf only spam, but when I changed it to zip,
>> it is not working:
>>
>> # ZIP only spam
>> full     ZIP_ONLY_SPAM
>> /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/zip\;.{1,40}name\=.{1,40}\.zip.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.zip/is
> 
> 
> s/zip/octet-stream/
> 
> Also, these are RAR files.  I updated my filetype.rules.conf to block
> 'em, after jacking up the spam score to get the sending IPs blocked as
> well.

I'm blocking them in filename.rules.conf, the zipfile names are the same generic
ones used by the old Beagle/Bagel worms.. The rules I had in place forever ago
appear to be covering it just fine.

deny    ^msg\.zip$              Beagle.H worm          Beagle.H worm
deny    ^moreinfo\.zip$ Beagle.H worm           Beagle.H worm
deny    ^attachedfile\.zip$     Beagle.H worm   Beagle.H worm
deny    ^TextDocument\.zip$     Beagle.H worm   Beagle.H worm
deny    ^Readme\.zip$   Beagle.H worm   Beagle.H worm
deny    ^Msginfo\.zip$  Beagle.H worm   Beagle.H worm
deny    ^Document\.zip$ Beagle.H worm   Beagle.H worm
deny    ^Info\.zip$     Beagle.H worm   Beagle.H worm
deny    ^Attacheddocument\.zip$ Beagle.H worm   Beagle.H worm
deny    ^Text\.zip$     Beagle.H worm   Beagle.H worm
deny    ^TextFile\.zip$ Beagle.H worm   Beagle.H worm
deny    ^Letter\.zip$   Beagle.H worm   Beagle.H worm
deny    ^MoreInfo\.zip$ Beagle.H worm   Beagle.H worm
deny    ^Message\.zip$  Beagle.H worm   Beagle.H worm
deny    ^Attach\.zip$   Beagle.K worm   Beagle.K worm
deny    ^Information\.zip$      Beagle.K worm   Beagle.K worm


Also, spamassassin is tearing them up, mostly on RBLs:

X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=10.811, required 5,
	BAYES_99 3.50, INFO_GREYLIST_DELAYED 0.40,
	RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_WEB 1.46,
	RCVD_IN_XBL 3.90)

X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=12.311, required 5,
	BAYES_99 3.50, DCC_CHECK 1.50, INFO_GREYLIST_DELAYED 0.40,
	RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_WEB 1.46,
	RCVD_IN_XBL 3.90)

(note: INFO_GREYLIST_DELAYED is a local rule, and points out the message was
delayed by my milter-greylist config)

More information about the MailScanner mailing list