[Mimedefang] filtering swen

Matt Cramer mscramer at armstrong.com
Wed Sep 24 09:29:00 EDT 2003 

This worm is driving me nuts, because it flys totally under SpamAss's
radar.  So I thought I'd write some custom rules:

# swen
body  SWENVIRUS          /allow an malicious user to run code on your computer/
score SWENVIRUS          +5.5

body  SWENVIRUS2         /Microsoft C.*mer/i
score SWENVIRUS2         +2

body  SWENVIRUS3         /You don't need to do anything after installing this item/i
score SWENVIRUS3         +2

header SWENHEADER        Subject =~ /Microsoft Critical Update/i
score  SWENHEADER        +2

At this point I'm not concerned about whether these are good numbers, or
whether there are better rules, because mimedefang seems to "miss" them,
sometimes.

Here are the headers from a message I received where the above rules did
not change the score:

Received: from mail.pnae.mg (one.dts.mg [193.251.141.184])
        by zappa.armstrong.com (8.12.10/8.12.10) with ESMTP id
    h8O6SOQe030406
        for <mscramer at armstrong.com>; Wed, 24 Sep 2003 02:28:44 -0400
Received: from gqmhc ([192.168.1.249])
        by mail.pnae.mg (8.11.2/8.11.2) with SMTP id h8O4VLv07153;
        Wed, 24 Sep 2003 07:31:24 +0300
Date: Wed, 24 Sep 2003 07:31:24 +0300
Message-Id: <200309240431.h8O4VLv07153 at mail.pnae.mg>
FROM: "Microsoft Security Section" <iklxclmz-horr at support.com>
TO: "Customer" <customer-wloighk at support.com>
SUBJECT: Current Internet Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="qdlemzkuot"
X-Spam-Score: 0.5 () MICROSOFT_EXECUTABLE,MIME_HTML_NO_CHARSET
X-Scanned-By: AITS-Spam-Filter
Parts/Attachments:
   1.1.1 Shown    ~43 lines  Text
   1.1.2   OK    ~160 lines  Text
   1.2     OK     3.7 KB     Image
   1.3     OK     370 bytes  Image
   2              109 KB     Application
----------------------------------------

Now, if I save this message, and run it through spamassassin -D I get a
match on SWENVIRUS3 (which is in the body).  So spamassassin itself can
see the rules.  Interestingly, if I take the message body text, and send
it ALONE, then mimedefang processes it correctly and gives it the
appropriate spam score:

Received: from xxx.xxx.xxx (xxx.xxx.xxx [xxx.xxx.xxx.xxx])
        by jay.armstrong.com (8.12.10/8.12.10) with ESMTP id
h8OD5KdU021458
        for <mscramer at armstrong.com>; Wed, 24 Sep 2003 09:05:21 -0400
Date: Wed, 24 Sep 2003 09:05:21 -0400
From: xxxxxx at xxxxxx.xxx
To: mscramer at armstrong.com
Subject: swen test
Message-ID: <20030924130521.GA25848 at xxxx.xxxxxx.xxxx>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
X-Spam-Score: -6.1 () BAYES_10,SWENVIRUS3,USER_AGENT_MUTT
X-Scanned-By: AITS-Spam-Filter

The Bayes rule appears, as well as my custom SWENRULE.  So whatever is
happening, it seems that perhaps the mime headers, or the way MD
processes the parts, is causing it to miss on the custom rules (as well as
Bayes).  One thing I already confirmed is this is NOT caused by a
limitation on message size in MD.  First, I have it set to 200K as the
limit, plus if I do bypass MD calling the SpamAss routines I don't insert
any SpamAss headers at all, and as you can see above, the original SWEN
message *IS* getting processed by SpamAss from MD.

Any ideas?  I would like to use SpamAss to catch these since I can
combine a bunch of custom rules to raise the score above the threshold.  I
am hesitant to just drop any messages with "critical Update" etc. in the
Subject, as that will likely drop legitimate mail here.


Thanks,

Matt

-- 
Matthew S. Cramer <mscramer at armstrong.com>          Office: 717-396-5032
Infrastructure Security Analyst                     Fax:    717-396-5590
Armstrong World Industries, Inc.                    Cell:   717-917-7099

More information about the MIMEDefang mailing list