On Tue, Jul 23, 2002 at 11:08:45PM -0600, Bob Proulx wrote:
> That is not quite what I want. First, it does not trigger on this
> message I think because of the mime chaining? Shouldn't that body
> rule match? Secondly, I wanted audio/x-wav with a name that ends in a
> virus indicator like *.(bat|exe|others). Perhaps someone can improve
> this toward that goal.
I posted my AUDIO_ATTACH patch a while ago. :) I've reattached the patch.
I use it as such:
in local.cf I have:
full AUDIO_ATTACH eval:check_for_audio_executables()
describe AUDIO_ATTACH Has an audio attachment with an executable extension
score AUDIO_ATTACH 0
Then in my personal user_prefs I change the score to whatever I feel like.
(right now I use 0.001 so it gets marked but the score doesn't alter
much.)
--
Randomly Generated Tagline:
"Whip me. Beat me. Make me maintain AIX."
(By Stephan Zielinski)
diff -urN lib.orig/Mail/SpamAssassin/EvalTests.pm lib/Mail/SpamAssassin/EvalTests.pm
--- lib.orig/Mail/SpamAssassin/EvalTests.pm Fri Jun 14 13:21:47 2002
+++ lib/Mail/SpamAssassin/EvalTests.pm Tue Jun 18 10:59:51 2002
@@ -1481,4 +1481,23 @@
sub check_for_missing_headers { return 0; } # obsolete test
+# search for likely MS worms
+sub check_for_audio_executables {
+ my ($self, $fulltext) = @_;
+
+ my $content_type = $self->{msg}->get_header('Content-Type');
+ $content_type = '' unless defined $content_type;
+ $content_type =~ /\bboundary\s*=\s*["']?(.*?)["']?(?:;|$)/i;
+ my $boundary = "\Q$1\E";
+
+ # No message sections to check
+ return 0 unless ( defined $boundary );
+
+ while ( $$fulltext =~ /^--$boundary\n((?:[^\n]+\n)+)/mg ) {
+ return 1 if ( $1 =~
+m@^Content-Type:\s+audio/x-(?:wav|midi)\b.{0,100}\bname=.{0,100}\.(?:exe|pif|scr|bat|com)\b@msi
+ );
+ }
+
+ 0;
+}
+
1;
