If you have a reasonably modern (>= 3.1) version of SpamAssassin, you should by default have a MIMEHeader plugin available (at least on Ubuntu). This enables you to create a couple of custom rules that block the more pernicious “open this ZIP file” style trojans.
Put the following in /etc/spamassassin/local.cf:
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader ZIP_ATTACHED Content-Type =~ /zip/i
describe ZIP_ATTACHED email contains a zip file attachment
score ZIP_ATTACHED 0.1
header SUBJ_PACKAGE_PICKUP Subject =~ /(parcel|package).*avail.*pickup/i
describe SUBJ_PACKAGE_PICKUP 1 of 2 for meta-rule TROJAN_PACKAGE_PICKUP
score SUBJ_PACKAGE_PICKUP 0.1
header FROM_IRS_GOV From =~ /irs\.gov/i
describe FROM_IRS_GOV 1 of 2 for meta-rule TROJAN_IRS_ZIPFILE
score FROM_IRS_GOV 0.1
meta TROJAN_PACKAGE_PICKUP (SUBJ_PACKAGE_PICKUP && ZIP_ATTACHED)
describe TROJAN_PACKAGE_PICKUP Nobody sends a ZIP file to say “your package is ready”.
score TROJAN_PACKAGE_PICKUP 4.0
meta TROJAN_IRS_ZIPFILE (FROM_IRS_GOV && ZIP_ATTACHED)
describe TROJAN_IRS_ZIPFILE If the IRS really wants to send a ZIP, they’ll have to find another way
score TROJAN_IRS_ZIPFILE 4.0
As always, spamassassin –lint to make sure the new rules work okay, and /etc/init.d/spamassassin reload to activate them in your running spamd process.
Excellent, exactly what I needed thank you.
Jim
The whole spamassassin explained in few lines.
Thanks, it helps
Thank you for sharing this. I was looking for a way to add a score to messages with these annoying attachments, and this is exactly what I needed!