Actually, they are showing up under random dictionary names names, here are just a few:<br>Cheque.zip<br>Complaint.zip<br>Data.zip<br>log.zip<br><br>-Vlad<br><br><div><span class="gmail_quote">On 7/31/07, <b class="gmail_sendername">
Matt Kettler</b> <<a href="mailto:mkettler@evi-inc.com">mkettler@evi-inc.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Leland J. Steinke wrote:<br>> Rob Freeman wrote:<br>>> I see instead of using pdf spam, they have switched to zip spam. I<br>>> have a rule to block the pdf only spam, but when I changed it to zip,<br>>> it is not working:
<br>>><br>>> # ZIP only spam<br>>> full ZIP_ONLY_SPAM<br>>> /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/zip\;.{1,40}name\=.{1,40}\.zip.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.zip/is
<br>><br>><br>> s/zip/octet-stream/<br>><br>> Also, these are RAR files. I updated my filetype.rules.conf to block<br>> 'em, after jacking up the spam score to get the sending IPs blocked as<br>> well.
<br><br>I'm blocking them in filename.rules.conf, the zipfile names are the same generic<br>ones used by the old Beagle/Bagel worms.. The rules I had in place forever ago<br>appear to be covering it just fine.<br><br>
deny ^msg\.zip$ Beagle.H worm Beagle.H worm<br>deny ^moreinfo\.zip$ Beagle.H worm Beagle.H worm<br>deny ^attachedfile\.zip$ Beagle.H worm Beagle.H worm<br>deny ^TextDocument\.zip$
Beagle.H worm Beagle.H worm<br>deny ^Readme\.zip$ Beagle.H worm Beagle.H worm<br>deny ^Msginfo\.zip$ Beagle.H worm Beagle.H worm<br>deny ^Document\.zip$ Beagle.H worm Beagle.H worm<br>deny ^Info\.zip$
Beagle.H worm Beagle.H worm<br>deny ^Attacheddocument\.zip$ Beagle.H worm Beagle.H worm<br>deny ^Text\.zip$ Beagle.H worm Beagle.H worm<br>deny ^TextFile\.zip$ Beagle.H worm Beagle.H worm<br>deny ^Letter\.zip$
Beagle.H worm Beagle.H worm<br>deny ^MoreInfo\.zip$ Beagle.H worm Beagle.H worm<br>deny ^Message\.zip$ Beagle.H worm Beagle.H worm<br>deny ^Attach\.zip$ Beagle.K worm Beagle.K worm<br>deny ^Information\.zip$
Beagle.K worm Beagle.K worm<br><br><br>Also, spamassassin is tearing them up, mostly on RBLs:<br><br>X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=10.811, required 5,<br> BAYES_99 3.50, INFO_GREYLIST_DELAYED
0.40,<br> RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_WEB 1.46,<br> RCVD_IN_XBL 3.90)<br><br>X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=12.311, required 5,<br> BAYES_99 3.50, DCC_CHECK 1.50
, INFO_GREYLIST_DELAYED 0.40,<br> RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_WEB 1.46,<br> RCVD_IN_XBL 3.90)<br><br>(note: INFO_GREYLIST_DELAYED is a local rule, and points out the message was<br>delayed by my milter-greylist config)
<br><br><br>--<br>MailScanner mailing list<br><a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br><a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner">http://lists.mailscanner.info/mailman/listinfo/mailscanner
</a><br><br>Before posting, read <a href="http://wiki.mailscanner.info/posting">http://wiki.mailscanner.info/posting</a><br><br>Support MailScanner development - buy the book off the website!<br></blockquote></div><br><br clear="all">
<br>-- <br>-Vlad