Evader Virus

From Roaring Penguin
Jump to: navigation, search

We are seeing a new virus in the wild that is evading blocks on an EXE filename. It uses malformed MIME which prevents us from detecting the filename of the attachment.

We have pushed out a new SpamAssassin ruleset to catch this virus. You may also wish to consider making a Compound Rule to heavily score the virus and push it past your auto-reject threshold. The Compound Rule we recommend is this:

 IF     Raw Body     Matches RegExp     ^Content-Type:\s+;
 AND    Raw Body     Matches RegExp     name=.{0,50}\.zip
 THEN add 2000 points

If you decide to use the rule, you should create it in the "default" stream (and "base" realm if you are running CanIt-Domain-PRO).