Erik Berry <[EMAIL PROTECTED]> writes:
> As far as I can tell, defang_mime has nothing to do with my question.
> In fact, I'm aware I have that option turned on and have read the
> complete documentation (I even drafted one section of it a few months
> ago).
Sorry, my mistake. It's such a FAQ, I had blinders on when looking over
your example.
I don't have any examples of that type of spam in my corpus, so I don't
know whether it happens often to write a rule, but if anyone has spam
saved in a maildir-style folder (one mail per file), you can do this to
see if you have any:
$ find spam_dir -type f|xargs egrep -c '^[A-Za-z0-9/+]{60,77}$'|egrep -v
':[0-3]$'|cut -f1 -d:|xargs egrep -Li base64 > /tmp/file-list
then look over the files listed in /tmp/file-list
That's basically how you'd write the rule, something like this:
body SURPRISE_BASE64 eval:check_for_surprise_base64()
describe SURPRISE_BASE64 Body has base64 content we weren't expecting
------- start of cut text --------------
sub check_for_surprise_base64 {
my ($self) = @_;
return 0 if $self->{found_encoding_base64};
my $count = 0;
for (@{$self->{msg}->get_body()}) {
if (/^[A-Za-z0-9\/+]{60,77}$/) {
$count++;
return 1 if $count > 5;
else {
$count = 0;
}
}
return 0;
}
------- end ----------------------------
I'm not even sure if that will run, but it should be pretty close.
If this is happening a lot, perhaps you could open a bug ticket and
attach complete examples?
Dan
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
