Development info?

Hugo van der Kooij hvdkooij at
Sun Aug 24 20:47:23 IST 2008

Hash: SHA1

Steve Freegard wrote:
> Hi Hugo,
> Hugo van der Kooij wrote:
>> My aim is to write a custom function to detect links to executables and
>> such and mark then with some points. Then take it one level up and
>> pickup the samples for further analyses before they are taken offline
>> again.
>> The first bit can be done with just  few lines in SA just as well. It is
>> the second part that will help me get malware samples as soon as
>> possible that can not be done in SA.
> I don't think you'd need a CustomFunction for either part of this - you
> can do it all within SA and the latest version of MailScanner.
> uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/
> score TRAP_LINK_EXEC 0.01
> describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr
> Then use the new 'SpamAssassin Rule Actions' feature in MailScanner:
> SpamAssassin Rule Actions =
> TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence

That will store the URL but by the time I can look at that URL to fetch
the file the infected system might be cleaned out allready. So I need to
automate this a bit further.


- --
hvdkooij at     

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on and rate those images.

Version: GnuPG v1.4.7 (GNU/Linux)


More information about the MailScanner mailing list