Development info?

Steve Freegard steve.freegard at
Sun Aug 24 18:03:46 IST 2008

Hi Hugo,

Hugo van der Kooij wrote:
> My aim is to write a custom function to detect links to executables and
> such and mark then with some points. Then take it one level up and
> pickup the samples for further analyses before they are taken offline again.
> The first bit can be done with just  few lines in SA just as well. It is
> the second part that will help me get malware samples as soon as
> possible that can not be done in SA.

I don't think you'd need a CustomFunction for either part of this - you 
can do it all within SA and the latest version of MailScanner.

uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/
score TRAP_LINK_EXEC 0.01
describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr

Then use the new 'SpamAssassin Rule Actions' feature in MailScanner:

SpamAssassin Rule Actions = 


More information about the MailScanner mailing list