Accepting Only Allowed Attachments

If you need to check combinations of allowed extensions (PDF | TIFF | TXT), you can try the following rule:

Code: 
mimeheader    __ANY_ATTACHMENT    Content-Type =~ /name=/i
mimeheader    __ALLOW_ATTACHMENT  Content-Type =~ /name\*?=["']?.*?\.(?:pdf|tiff?|txt)["']?(?:;|$)/i
meta          SUSPICIOUS_MIME_TYPE  __ANY_ATTACHMENT > __ALLOW_ATTACHMENT
describe      SUSPICIOUS_MIME_TYPE  Contains attachments other than PDF, TIFF, or TXT
score         SUSPICIOUS_MIME_TYPE  7.0
tflags        SUSPICIOUS_MIME_TYPE  noautolearn

Attachments:
PDF + TXT - allowed
PDF + TIFF + DOC - quarantine
Etc.
 
Badej said:
Post #10
Click to expand...
Sorry to inform that rule on post 10 does not work,
why ? because if you send mail with pdf+docx (should be block) it is PASS ,
why ? , because if one is not match the tigger will not active
In this weekend I would work on my script , I must provid this ability to my client.
 
Unfortunately, the rule from post #10 only works with one attachment ((
Fixed the spamassassin rule. It checks all attachments for allowed file types.
Only tested it on Gmail.

Code: 
mimeheader    __SAFE_CONTENT_TYPE    Content-Type =~ /name\*?=["']?.*?\.(?!(?:pdf|tiff?|txt)(?:["']?|$|;))/i
mimeheader    __SAFE_DISPOSITION     Content-Disposition =~ /filename\*?=["']?.*?\.(?!(?:pdf|tiff?|txt)(?:["']?|$|;))/i
meta          SUSPICIOUS_ATTACHMENT  __SAFE_CONTENT_TYPE || __SAFE_DISPOSITION
describe      SUSPICIOUS_ATTACHMENT  Detected attachment with forbidden extension
score         SUSPICIOUS_ATTACHMENT   10.0
tflags        SUSPICIOUS_ATTACHMENT   noautolearn

PDF + TXT - allowed
PDF + TIFF - allowed
TIFF + TXT - allowed
PDF + DOC - blocked (+10)
TXT + ZIP - blocked (+10)
 
Badej said:
Unfortunately, the rule from post #10 only works with one attachment ((
Fixed the spamassassin rule. It checks all attachments for allowed file types.
Only tested it on Gmail.

Code: 
mimeheader    __SAFE_CONTENT_TYPE    Content-Type =~ /name\*?=["']?.*?\.(?!(?:pdf|tiff?|txt)(?:["']?|$|;))/i
mimeheader    __SAFE_DISPOSITION     Content-Disposition =~ /filename\*?=["']?.*?\.(?!(?:pdf|tiff?|txt)(?:["']?|$|;))/i
meta          SUSPICIOUS_ATTACHMENT  __SAFE_CONTENT_TYPE || __SAFE_DISPOSITION
describe      SUSPICIOUS_ATTACHMENT  Detected attachment with forbidden extension
score         SUSPICIOUS_ATTACHMENT   10.0
tflags        SUSPICIOUS_ATTACHMENT   noautolearn

PDF + TXT - allowed
PDF + TIFF - allowed
TIFF + TXT - allowed
PDF + DOC - blocked (+10)
TXT + ZIP - blocked (+10)
Click to expand...
I will try in now , but big question now , Is that script will check inside of a zip file
 
No, the rule doesn't check archives. Only attachment extensions.
To check archive contents, you'll need to create a rule (GUI).
Use What objects -> Match Archive Filename
 
You must log in or register to reply here.
Top Bottom
Back