You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Jelinek <Da...@cmich.edu> on 2005/05/04 18:45:50 UTC
Some rules help please
-----BEGIN PGP SIGNED MESSAGE-----
If someone would help me, I would appreciate it. We are getting a lot
of messages that get through that have various subjects bodies etc.
but they all have an attachment of the form xxxinfoxxx.zip although
the zip file really is not there (that's why it doesn't get stopped by
the virus scanner). We are running SpamAssassin version 3.0.2
I tried the following rule:
rawbody L_BAD_ZIP1 /name=".*?info.*?\.zip"/i
score L_BAD_ZIP1 3.0
describe L_BAD_ZIP1 Mail with stupid *info*.zip att
to try and catch these but there is no match.
I was expecting it to match (possibly twice) in the following:
- ------_=_NextPart_001_01C54FD9.66B9F48C
Content-Type: application/octet-stream;
name="account_info-text.zip"
Content-Transfer-Encoding: base64
Content-Description: account_info-text.zip
Content-Disposition: attachment;
filename="account_info-text.zip"
- ------_=_NextPart_001_01C54FD9.66B9F48C--
is there any way to do what I want?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBQnj8PmUW1v4EfgBlAQHgFQP/UZH/OpWrb/kiZvprZpBr1IBaRBuIJDSb
4l3UmQYOSmwBnlRh3GuuLclVLBQyK7cemODHU0EQ1CT3VtY+deT22WVo2/tscMwl
u/NWxh9kr1NBpQTAGlB230x6XfAtPdivNttF22DuXVCrXTVr2bYgLN4z45X2Gm2y
uEcDh1nY9OU=
=MuSr
-----END PGP SIGNATURE-----
Re: Some rules help please
Posted by Matt Kettler <mk...@evi-inc.com>.
David Jelinek wrote:
> If someone would help me, I would appreciate it. We are getting a lot
> of messages that get through that have various subjects bodies etc.
> but they all have an attachment of the form xxxinfoxxx.zip although
> the zip file really is not there (that's why it doesn't get stopped by
> the virus scanner). We are running SpamAssassin version 3.0.2
>
> I tried the following rule:
>
> rawbody L_BAD_ZIP1 /name=".*?info.*?\.zip"/i
> score L_BAD_ZIP1 3.0
> describe L_BAD_ZIP1 Mail with stupid *info*.zip att
>
> to try and catch these but there is no match.
>
You need to do that as a full rule, not a rawbody. The "rawbody" is
still sufficiently cooked that non-text mime segments and mime
boundaries are removed.