Re: [exim] Exim4 skips SpamAssassin if attachments are too b…

Top Page
This message is part of the following thread:
M--+\the complete thread tree sorted by date
M..MMLena at <-
M+\MLena at ->
Delete this message
Reply to this message
Author: Paul Lenz
Date:  
To: exim-users
Subject: Re: [exim] Exim4 skips SpamAssassin if attachments are too big
Sorry, this is the wrong place in the thread structure, but I did not
receive Lena'S message in my mailbox.


Hello Lena,

sorry for the delay, I was busy with other things. No I want to come
back to you.

The mentioned text "Loteria" was clearly visible in the body, because it
was attached as
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit

Anyway I will try your code because you seem to be a real Exim4 wizard.

But I have two questions:

1. Why do you want to reject spam? Isn't it a waste of traffic and may
cause useless bounces?

2. I would prefer to use my director which simply moves spam detected by
SpamAssassin into a waste bin:

spamkill_director:
driver = accept
check_local_user
condition = "${if def:h_X-Spam-Flag: {1}{0}}"
transport = spamkill
no_verify

How can I set this flag instead of denying a message if "loteria" was
detected?



And by the way, I had a look on you file "Lena-eximconf-run.txt".
I wonder how this set of rules can detect viruses.
I wrote a plugin for Spamassassin which unzips every attachement and
(IMHO very important) unzips every MS Office file (xlsx, xlsm, docx) and
looks for strings like "rundll32" or "This program cannot be run in DOS
mode" and some others. I am rather sure that this plugin saved me from
WannaCry.

BR
Paul Lenz




Lena wrote:

> > From: Paul Lenz
>
> > Today I received again an 1,3 MB message with Lottery spam.
> > In the body is clearly to be seen "ONLINE LOTTERY DEPARTMENT".
>
> What you see as message body is not the same as what Exim considers as
> message body. You see a text/html or text/plain part,
> for Exim message body is all parts (encoded) and their separators.
> Use something like "View Source" in your mail client (MUA)
> to look at what Exim considers as message body.
> 
> >     discard message = "Loteria in message body"
> >         !senders   = :
> >         condition  = ${if match {${lc:$message_body}}
> > {loteria|lottery}{yes}{no}}

>
>
> 
> acl_smtp_mime = acl_check_mime
> begin acl
> acl_check_mime:
>   deny  message = rejected as spam because of forbidden word in body
>         condition = ${if match{$mime_content_type}{text/}}
>         mime_regex = \N(?i)\s(loteria|lottery)\s

>
>
>
> accept
>
> Some other examples: http://lena.kiev.ua/Lena-eximconf-run.txt
>


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Error: maximum allowed line length is 998 octets, got 76Re: [exim] Exim4 skips SpamAssassin if attachments are too big->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)