Another Small Brick in Mail.app's Anti-Malware Wall

One of the few "dangerous emails" that made it past my rather aggressive SpamAssassin setup recently was a phishing attempt, claiming to have been sent by Google's AdWords service. When I took a closer look at this email, I noticed a header field that I hadn't come across before, and which adds another useful little helper in the fight against spam-n-scam emails.

That header field was:

X-Acl-Warn: This message contains malware ¬ (Phishing.Heuristics.Email.SpoofedDomain)

Turns out that this was added by the Exim Mail Transfer Agent which runs on the mail server I use. One of Exim's many features is the ability to analyze incoming emails by handing them off to anti-malware utilities installed on the server, like a virus scanner. If the scanner determines that there's something fishy -- or, rather: "phishy" in this case -- about the email, Exim adds the above header field, listing in parentheses the specific type of malware that was detected.

If Exim is running on your mail server, too, you can utilize these warnings by checking for the X-Acl-Warn: header field in a rule in Mail.app. Here's how.

Since X-Acl-Warn: is not among the default message header fields supported in Mail.app's rules by default -- those are From:, To:, CC:, and Subject: --, you have to define it first. To do this, open Mail's preferences, select the Rules pane, and choose "Edit Header List..." from the header menu in the conditions section. In the ensuing dialog box, click the "+" button, type in the field's exact name, and click OK.

Now select the newly added header field in the condition section, define the condition "Contains" - "malware", and configure the action you deem appropriate. For now, I've just added a colored highlight to the email to verify that the new rule works as intended.

Depending on the software that's running on your mail server, there might be other header fields that you can use in a similar manner for determining if an incoming message contains any kind of malware. If you've already defined anti-malware rules in Mail.app that other readers might find useful, please share them in the comments. Thanks!