Development info?
Steve Freegard
steve.freegard at fsl.com
Sun Aug 24 18:03:46 IST 2008
Hi Hugo,
Hugo van der Kooij wrote:
> My aim is to write a custom function to detect links to executables and
> such and mark then with some points. Then take it one level up and
> pickup the samples for further analyses before they are taken offline again.
>
> The first bit can be done with just few lines in SA just as well. It is
> the second part that will help me get malware samples as soon as
> possible that can not be done in SA.
I don't think you'd need a CustomFunction for either part of this - you
can do it all within SA and the latest version of MailScanner.
uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/
score TRAP_LINK_EXEC 0.01
describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr
Then use the new 'SpamAssassin Rule Actions' feature in MailScanner:
SpamAssassin Rule Actions =
TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence
Cheers,
Steve.
More information about the MailScanner
mailing list