Re: MyDoom E-mail

[Justin Mason <jm...@jmason.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


David B Funk writes:
> On Thu, 12 Feb 2004, Damon McMahon wrote:
> 
> > Thanks for the suggestions. Having done some further troubleshooting I'm
> > convinced that the full body regexp search either isn't being run or
> > isn't working as I would expect.
> >
> > Any further clues? Where would I find more info about the full body search?
> >
> > Thanks...
> 
> Because of a feature of SA.
> 
> If you have a MIME component of "Content-type: application/octet-stream"
> SA rips it out and discards it. EVERYTHING after that 'Content-type:'
> declaration up until the end of that particular component/attachment
> is discarded and not available for -any- types of matches,
> Not "body" "rawbody" nor "full"
> 
> Look at the def of a 'body' rule in the spam.conf man page. It says:
> 
>           The 'body' in this case is the textual parts of the message body;
>           any non-text MIME parts are stripped, and the message decoded from
>           Quoted-Printable or Base-64-encoded format if necessary.
> 
> As application/octet-stream is clearly a non-text part, it is stripped.
> 
> If you look at the MIME headers of one of those critters, the
> "filename=" declaration that you're looking for is after the
> "Content-type: application/octet-stream" and thus made of unobtanium. ;(
> 
> Hey Devs, is there any 'really-raw-full-body' type rules that will
> let us look at -everthing- in a message? Or is that so far from SA's
> intended usage realm that it's not even possible.

Not rules, no.   It's a *spam* filter. ;)

You could, however, do it with a plugin in 3.0 -- access the "pristine"
message body.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAK8J+QTcbUG5Y7woRAvgxAKDfElS3Ye/dq1l9qE21kIQk3SNpWQCfe+Bk
PZqcMO70vETOFXrugZdQ8h8=
=lZuq
-----END PGP SIGNATURE-----