Michael Moncur wrote: > I know this really shouldn't be SpamAssassin's job since it's used more by > virii than by spam, but has anyone had any luck specifically detecting iframe > src=cid tags? Here's my current rule that tries to do so: > > rawbody VIRUS_IFRAME_CID /<iframe +src ?=[ "]*cid/i > describe VIRUS_IFRAME_CID VIRUS: IFRAME with internal > source > score VIRUS_IFRAME_CID 99 > > Every virus message I get scores on the existing RELAYING_FRAME rule, but not > on the above. I've tried some much simpler regexps with no luck. > > More importantly, when I resend a virus message to myself it DOES match the > above rule. Are these messages encoded in some way to make SpamAssassin miss > the iframe tag? But the RELAYING_FRAME test works anyway? I'm confused.
Download and use CVS if you're testing this stuff - email decoding is improving all the time. Plus you can easily add in a test (using the regression test stuff I just checked in): test VIRUS_IFRAME_CID ok <iframe src="cid:blah"> Matt. _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk