Rule set question, to bypass ClamAV (Richard Mealing)

Support Support at officeunlimited.nl
Mon Jun 26 19:58:04 UTC 2017


Hi Richard,

Yes, with tabs it seems to work now. Odd, coz I had 'simpler' rules with spaces and they work also fine.

Any chance you can do this in ClamAV itself to tell Clam it should block OLE2Macro's for userx and not for usery? But for usery do check other virus stuff?

Grtz,
Ronald


Message: 1
Date: Tue, 13 Jun 2017 15:31:39 +0000
From: Richard Mealing <richard at fastnet.co.uk>
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: RE: Rule set question, to bypass ClamAV
Message-ID:
        <6EE47AF64C339A4F8F7F50507241B3795FAC38B8 at BTN-EXCHANGE-V1.fastnet.local>

Content-Type: text/plain; charset="us-ascii"


Your rule should work. Are you using tabs?

For example this should work -

From:           somegoodsender at domain.com    and     To:     *@mydomain.com      no

From: MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info] On Behalf Of Support
Sent: Monday, June 12, 2017 21:26
To: mailscanner at lists.mailscanner.info
Subject: Rule set question, to bypass ClamAV

Hi there,

My 1st post.

Is it possible somehow to use a sender <-> recipient combination in the scan.messages.rules or virus.scanning.rules? I tried things like 'From: safe_sender at safe_domain.com<mailto:safe_sender at safe_domain.com> and To:trusted_recipient at example.com' but that didn't work.

I want to do this to block all macro's in ClamAv for all users (or can this be user controlled??), while disabling virus scanning for users that need Office macro's. Or is there another way to allow macro's for some specific sender, recipient and/or the combination?

To my exprience most ransom ware originates from Office documents with macro's. Seems ClamAV even with all UnOfficial SIGS does not detect m all. Or does someone has a 100% catch ratio?

Any ideas welcome.

Grtz,
Ronald

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170613/fc07565b/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 13 Jun 2017 09:09:33 -0700
From: Gao <gao at pztop.com>
To: mailscanner at lists.mailscanner.info
Subject: Re: Trouble with mails from Blackberry
Message-ID: <5f3100c5-7a7d-3c5f-0753-f5f8f060ca0e at pztop.com>
Content-Type: text/plain; charset=utf-8; format=flowed



On 2017-06-12 05:26 PM, Mark Sapiro wrote:
> On 06/12/2017 09:00 AM, Gao wrote:
>>
>> On 2017-06-08 01:02 PM, Mark Sapiro wrote:
>>> The reason I ask about version is this score comes from
>>>
>>> Mail::SpamAssassin::Plugin::HeaderEval::check_ratware_envelope_from()
>>>
>>> Which in SA 3.4.1 at least has
>>>
>>> return 0 if $from =~ /^SRS\d=/;
>>>
>>> per
>>> <https://fossies.org/dox/Mail-SpamAssassin-3.4.1/classMail_1_1SpamAssassin_1_1Plugin_1_1HeaderEval.html#ab8531c37621db88b28eb3c7dc5c97d58>
>>>
>>> which seems to be designed to exempt envelope senders beginning with
>>> SRS, a digit and = as this message does.
>>>
>>> If the issue is an older SA and you can't upgrade, you can always set
>>> the score for RATWARE_EFROM to zero.
>>>
>> Thank you for the help.
>> I am using SpamAssassin Version:3.4.0. I am not sure where to check for
>> the code you mentioned. I'll make a rule to adjust the RATWARE_EFROM score.
>
> The code is in the file Mail/SpamAssassin/Plugin/HeaderEval.pm in your
> perl installation.
>
Interesting...

I check the HeaderEval.pm file and it does has the code you mentioned.

And I verified it with "spamassassin --lint -D" and I see the plugin is
loaded:
Jun 13 09:01:05.782 [5433] dbg: plugin: loading
Mail::SpamAssassin::Plugin::HTMLEval from @INC

Then how come it still give a score of 3.0?

Gao




------------------------------

Message: 3
Date: Tue, 13 Jun 2017 09:13:58 -0700
From: Gao <gao at pztop.com>
To: mailscanner at lists.mailscanner.info
Subject: Re: Trouble with mails from Blackberry
Message-ID: <f20ade68-1d77-bd11-2bba-b40754ea6cbc at pztop.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"



On 2017-06-13 09:09 AM, Gao wrote:
>
>
> On 2017-06-12 05:26 PM, Mark Sapiro wrote:
>> On 06/12/2017 09:00 AM, Gao wrote:
>>>
>>> On 2017-06-08 01:02 PM, Mark Sapiro wrote:
>>>> The reason I ask about version is this score comes from
>>>>
>>>> Mail::SpamAssassin::Plugin::HeaderEval::check_ratware_envelope_from()
>>>>
>>>> Which in SA 3.4.1 at least has
>>>>
>>>> return 0 if $from =~ /^SRS\d=/;
>>>>
>>>> per
>>>> <https://fossies.org/dox/Mail-SpamAssassin-3.4.1/classMail_1_1SpamAssassin_1_1Plugin_1_1HeaderEval.html#ab8531c37621db88b28eb3c7dc5c97d58>
>>>>
>>>>
>>>> which seems to be designed to exempt envelope senders beginning with
>>>> SRS, a digit and = as this message does.
>>>>
>>>> If the issue is an older SA and you can't upgrade, you can always set
>>>> the score for RATWARE_EFROM to zero.
>>>>
>>> Thank you for the help.
>>> I am using SpamAssassin Version:3.4.0. I am not sure where to check for
>>> the code you mentioned. I'll make a rule to adjust the RATWARE_EFROM
>>> score.
>>
>> The code is in the file Mail/SpamAssassin/Plugin/HeaderEval.pm in your
>> perl installation.
>>
> Interesting...
>
> I check the HeaderEval.pm file and it does has the code you mentioned.
>
> And I verified it with "spamassassin --lint -D" and I see the plugin
> is loaded:
> Jun 13 09:01:05.782 [5433] dbg: plugin: loading
> Mail::SpamAssassin::Plugin::HTMLEval from @INC
>
> Then how come it still give a score of 3.0?
>
> Gao
>
>
>
>
Copied the wrong  line. It should be:
Jun 13 09:07:41.630 [5975] dbg: plugin: loading
Mail::SpamAssassin::Plugin::HeaderEval from @INC

BTW, why does pipe to grep not working? I did
spamassassin --lint -D | grep HeaderEval
And it shows all the lines from lint test.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170613/7e1e21fe/attachment-0001.html>

------------------------------

Message: 4
Date: Tue, 13 Jun 2017 09:44:27 -0700
From: Mark Sapiro <mark at msapiro.net>
To: mailscanner at lists.mailscanner.info
Subject: Re: Trouble with mails from Blackberry
Message-ID: <495322f8-bd11-c75e-f4ed-dbe3a28fbedd at msapiro.net>
Content-Type: text/plain; charset=utf-8

On 06/13/2017 09:13 AM, Gao wrote:
>
> BTW, why does pipe to grep not working? I did
>  spamassassin --lint -D | grep HeaderEval
> And it shows all the lines from lint test.


Because spamassassin --lint writes to stderr. You need to do

spamassassin --lint -D 2>&1 | grep HeaderEval

--
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


------------------------------

Message: 5
Date: Tue, 13 Jun 2017 09:51:31 -0700
From: Mark Sapiro <mark at msapiro.net>
To: mailscanner at lists.mailscanner.info
Subject: Re: Trouble with mails from Blackberry
Message-ID: <010e59f0-ece1-f407-e9e2-0d093d495015 at msapiro.net>
Content-Type: text/plain; charset=utf-8

On 06/13/2017 09:09 AM, Gao wrote:
>
> I check the HeaderEval.pm file and it does has the code you mentioned.
>
> And I verified it with "spamassassin --lint -D" and I see the plugin is
> loaded:
>
> Then how come it still give a score of 3.0?


If in fact your HeaderEval.pm file contains

 return 0 if $from =~ /^SRS\d=/;

in the check_ratware_envelope_from subroutine and your Blackberry
messages have envelope from similar to the

"SRS0=HaG/vD=5N=mydomain.com=gjv at srs.bis6.us.blackberry.com"

value in your OP, I can't explain why the rule hits.

--
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


------------------------------

Subject: Digest Footer



--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


------------------------------

End of MailScanner Digest, Vol 138, Issue 12
********************************************




More information about the MailScanner mailing list