You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Kaleb Hosie <kh...@spectraaluminum.com> on 2010/05/28 19:05:13 UTC

Attached Spam Messages

Hey Everyone,

We've been having a problem with emails that are completely blank except for
an attached .rtf file which is where the spam message is.

Is there a way of decoding that file and feeding it to bayes?

Thanks for your help.
Kaleb

RE: Attached Spam Messages

Posted by Kaleb Hosie <kh...@spectraaluminum.com>.

> here's a a nice little rule I use.
> 
>   # No text part, only an RTF document.  Yeah, sure...
> 
>   header   PAYLOAD_CTYPE_RTF  Content-Type =~ /\bname=".+\.rtf"/i
>   describe PAYLOAD_CTYPE_RTF  Payload is an RTF document, no text part
>   score    PAYLOAD_CTYPE_RTF  4.0

I've started using this rule in our organization and it seems to work great
so far. 

I might bump up the scoring in the future however right now I have ours set
to 2.5 and it's catching extra spam that would have been let through.

If SA decoded and scanned through the attachment, that would be the best
option of all however in the meantime, this seems to do the trick.

Thanks for the help!

Re: Attached Spam Messages

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Fri, 2010-05-28 at 13:05 -0400, Kaleb Hosie wrote:
> We've been having a problem with emails that are completely blank except for
> an attached .rtf file which is where the spam message is.

Err, do you *really* mean attached? If so, provide a sample.

Otherwise I guess you are actually talking about the recent-ish spam
that does not have anything but an RTF document MIME part. Those
typically score above 10 for me, so there might be something else
missing -- but here's a a nice little rule I use.

  # No text part, only an RTF document.  Yeah, sure...

  header   PAYLOAD_CTYPE_RTF  Content-Type =~ /\bname=".+\.rtf"/i
  describe PAYLOAD_CTYPE_RTF  Payload is an RTF document, no text part
  score    PAYLOAD_CTYPE_RTF  4.0

DO NOTE, that this MIGHT NOT be safe in all environments. MUAs and their
users tend to always include some minimal text, but $service via mail
might not. In that case, it still is rather unlikely it sends an RTF doc
(TIFF for fax probably is common), but that decision is up to you.

Also, the score is rather high. But then again, it is my local rule, and
I don't even get RTF docs attached to legit mail, ever...

  guenther

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}