SpamAssassin updates and rules for xls,ppt and doc

scumbag spammer Robert Soloway

scumbag spammer Robert Soloway

So yes the zoo has a scanner my blog) but with the amount of problems caused by microsoft i thought when the detection fails as you may not have the definition so why not mark doc xls and ppt document attachments as spam if they pass due for being too new.

So i went for a wonder and found some interesting stuff, I cobbled some stuff together in the spam assassin file checked with –lint and waited.  Alas no not yet detected viruses have been sent to the zoo recently.  But this is an adaption of stuff out there.

I tried a perl plugin from but had to hard code the stuff in the perl module which was a pig to find, that generated emails about the perl before i changed it.   If it works i willl tell you.

Our spam problem is not that bad but improvements can also be made.

The first attempt rules (do not work)

#idea credit to
rawbody xls_attachment /xls/
describe xls_attachment This rule checks for xls attachments
rawbody doc_attachment /doc/
describe doc_attachment This rule checks for doc attachments
rawbody ppt_attachment /ppt/
describe ppt_attachment This rule checks for ppt attachments
score xls_attachment 3.0
score doc_attachment 3.0
score ppt_attachment 3.0



Version 2 i used this (not here watch for Text:Unidecode

body doc /\b[\x{3A}\x{3A}][\x{20}\x{20}][\x{2E}\x{2E}]doc\b/i # : .doc
score doc 3

Strings are

Content-Type: application/msword; name="doc4502094035.doc"
Content-Description: doc4502094035.doc
Content-Disposition: attachment; filename="doc4502094035.doc";

Third attempt and knee deep in regex – something of an art form.

body doc2 /.*doc.*$/
score doc2 5
body xls2 /.*xls.*$/
score xls2 5

Scores could be higher and i increased them on every attempt.

Eventually i get a spam but it does not trigger the rules although the file is not a virus defined as such the strings above did not work. Maybe i need to upgrade something.  But i show the failings just in case you are thinking along the same lines.

So change a a couple of rules to capital letters and doc2 fires although a document is there it is mentioned in text

X-Spam-Status: Yes, score=15.892 tag=2 tag2=x.x kill=x.x

Triggered by

grep " doc" spam

Please find attached a document from redacted

So it seems looking for a .doc is redundant as it is masked with a Content-Disposition: attachment; filename=”allnumberscharacters.tiff.js”

New rules

body DOC3 tiff.js
score DOC3 6
describe DOC3 executable format

body DOC4 urn:schemas-microsoft-com:office:word
score DOC4 4
describe DOC4 xml for microsoft word.

Since it kind of worked and i had to fish the document out of the server as it never got delivered i kind call that a success.

I dont need to insult microsoft fans but you do provide entertainment with your odd ideas about safe computing with keeps the antivirus business alive..

I also installed some extra tests for spamassasin which also generate perl errors due to a an amusing typo but do also push those strange emails over the limit  It is 2016 after all and if you can’t run a mail server properly then i think you have had more than enough time to be tolerated.

by golly but...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s