Bug 3299 - check zip attachments for MS executables
Summary: check zip attachments for MS executables
Status: RESOLVED INVALID
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.60
Hardware: Other Linux
: P5 normal
Target Milestone: 3.1.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-04-24 14:53 UTC by phr
Modified: 2004-04-25 03:05 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description phr 2004-04-24 14:53:09 UTC 
Lately I'm getting a number of spam messages whose contents are a zip attachment
containing a .scr file.  These should be scored as microsoft executables but
instead they aren't scored.
Comment 1 Theo Van Dinter 2004-04-24 16:54:02 UTC 
SpamAssassin isn't a virus/worm scanner, so it's never going to do this kind 
of thing.  You may be interested in something like ClamAV.
Comment 2 phr 2004-04-24 16:58:17 UTC 
Spamassassin has a rule called MICROSOFT_EXECUTABLE because so many messages
with Microsoft executables are spam.  If it were inappropriate or inapplicable
for Spamassassin to filter those messages, that rule wouldn't exist.  Since the
rule does exist, it's entirely appropriate for its implementation to be more
thorough.    So I hope this extension can be added.
Comment 3 Sidney Markowitz 2004-04-24 18:07:05 UTC 
File attachments with an scr extension are viruses not spam. The FAQ about virus
filtering is at http://wiki.apache.org/spamassassin/FilteringViruses
Comment 4 phr 2004-04-24 18:11:05 UTC 
.scr attachments are microsoft executables and therefore, according to
spamassassin's rulebase, have a good chance of being spam (the
MICROSOFT_EXECUTABLE rule).  Think of MS exectables as a special type of
Bayesian keyword.  Anyway, if Spamassassin thinks that MS executables aren't
spam, then the MICROSOFT_EXECUTABLE rule should be eliminated.  Since lots of
people would probably get upset if that happened, it follows that having it stay
and keep working is good, and having it work more thoroughly is even better.
Comment 5 Theo Van Dinter 2004-04-25 09:42:20 UTC 
Subject: Re:  check zip attachments for MS executables

On Sat, Apr 24, 2004 at 06:11:06PM -0700, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> .scr attachments are microsoft executables and therefore, according to
> spamassassin's rulebase, have a good chance of being spam (the
> MICROSOFT_EXECUTABLE rule).  Think of MS exectables as a special type of

No, MICROSOFT_EXECUTABLE never detected spam.  Virus/Worm emails != spam.

> Bayesian keyword.  Anyway, if Spamassassin thinks that MS executables aren't
> spam, then the MICROSOFT_EXECUTABLE rule should be eliminated.  Since lots of
> people would probably get upset if that happened, it follows that having it stay
> and keep working is good, and having it work more thoroughly is even better.

Since MICROSOFT_EXECUTABLE is gone in 3.0 anyway, this discussion is
pretty moot.  But just for your edification, the rule was put in for
people who wanted SA to do some form of "virus/worm" catching, so we
added a rule to look for the first couple of bytes in an executable to
help those folks out.
Comment 6 phr 2004-04-25 10:54:02 UTC 
See, Spamassassin attempts a difficult task, carefully separating "good" email
from "bad" (spam) email by analyzing its contents.  The main reason I can think
of for it to not also try to detect viruses is that it greatly increases the
complexity of the task, since SA then would have to also separate "good" MS
executables that Windows users sometimes send each other from "bad" ones, by
analyzing the contents against virus signature libraries and so forth.

However, for non-Windows users, that difficulty does not exist.  Any email that
contains any MS executable of any sort is bad, 100% of the time, since such a
user will never receive any legitimate email with MS executables.  

Also, in technical terms, the distinction between spam and viruses is not so
clear and gets less clear every day.  As blacklists get more effective, spammers
resort to spreading viruses through spam messages to take over users' machines
and send more spam.  Spam is a virus vector and viruses are a spam vector. 
While it's true that some viruses are sent by people other than spammers, more
and more of them come from spammers and therefore are spam.  While it's fine
that SA declares analyzing specific executables to be beyond its scope, the mere
preference of an executable is definitely correlated with spam, just like the
word "mortage" in a message is correlated with spam.  Both should have scores.

So, IMO, the MICROSOFT_EXECUTABLE should NOT be removed from SA 3.0., but rather
it should be extended to check for executables inside zip attachments.
Comment 7 Theo Van Dinter 2004-04-25 10:58:40 UTC 
Subject: Re:  check zip attachments for MS executables

On Sun, Apr 25, 2004 at 10:54:03AM -0700, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> So, IMO, the MICROSOFT_EXECUTABLE should NOT be removed from SA 3.0., but rather
> it should be extended to check for executables inside zip attachments.

You're free to write a plugin for 3.0 to search for all forms of MS
Executables, but the rule was already removed and this ticket closed --
this is a dead issue at this point.
Comment 8 phr 2004-04-25 11:05:30 UTC 
I'm really surprised to hear that MICROSOFT_EXECUTABLE is gone from 3.0.  I
cannot figure out what weird notion of ideological purity led SA's maintainers
to remove it (spam is bad, viruses are good?).  MICROSOFT_EXECUTABLE was (is)
definitely useful in decluttering one's mailbox, which is the point of SA, and
it has to have been a very simple rule.  It should be restored.