Michael Moncur wrote:
> I know this really shouldn't be SpamAssassin's job since it's used more by
> virii than by spam, but has anyone had any luck specifically detecting iframe
> src=cid tags? Here's my current rule that tries to do so:
> 
> rawbody VIRUS_IFRAME_CID                      /<iframe +src ?=[ "]*cid/i
> describe VIRUS_IFRAME_CID                     VIRUS: IFRAME with internal
> source
> score VIRUS_IFRAME_CID                        99
> 
> Every virus message I get scores on the existing RELAYING_FRAME rule, but not
> on the above. I've tried some much simpler regexps with no luck.
> 
> More importantly, when I resend a virus message to myself it DOES match the
> above rule. Are these messages encoded in some way to make SpamAssassin miss
> the iframe tag? But the RELAYING_FRAME test works anyway? I'm confused.

Download and use CVS if you're testing this stuff - email decoding is 
improving all the time. Plus you can easily add in a test (using the 
regression test stuff I just checked in):

  test VIRUS_IFRAME_CID   ok <iframe src="cid:blah";>

Matt.



_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to