> -----Original Message-----
> From: Amnon [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 22, 2003 8:55 AM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Scanning for a file name
>
>
> Here it comes again. For those of you who may have a better
> idea, what rule
> would you use to catch this "pic.gif".
>
> Thanks.
>
> ============================
> Received: (qmail 19778 invoked by alias); 22 Aug 2003 12:00:21 -0000
> Delivered-To: [EMAIL PROTECTED]
> Received: (qmail 19775 invoked from network); 22 Aug 2003
> 12:00:21 -0000
> Received: from bgp376636bgs.plnfld01.nj.comcast.net (68.36.0.171)
> by jed.deltaforce.net with SMTP; 22 Aug 2003 12:00:13 -0000
> From: [EMAIL PROTECTED]
> To: Amnon1 <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Sender: [EMAIL PROTECTED]
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0012_01C27DD2.75377C90"
> X-Spam-Status: Yes, hits=4.2 required=3.5
> tests=DATE_MISSING,MANY_EXCLAMATIONS,NO_REAL_NAME,
> RCVD_IN_UNCONFIRMED_DSBL
> version=2.55
> X-Spam-Level: ****
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> X-Spam-Report: ---- Start SpamAssassin results
> 4.20 points, 3.5 required;
> * 1.1 -- Missing Date: header
> * 0.5 -- From: does not include a real name
> * 1.8 -- RBL: Received via a relay in unconfirmed.dsbl.org
> [RBL check: found 171.0.36.68.unconfirmed.dsbl.org.]
> * 0.8 -- Subject has many exclamations
> ---- End of SpamAssassin results
> X-Spam-Flag: YES
> Subject: *****SPAM***** Fw: Amnon1! EX0TlC Iatina girIs in
> C!R/\-Z-Y ACTl0N! T
> k mQv6 itE
> X-Pyzor: Reported 0 times.
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0012_01C27DD2.75377C90
> Content-Type: multipart/related; type="multipart/alternative";
> boundary="----=_NextPart_002_0012_01C27DD2.75377C90"
>
>
> ------=_NextPart_002_0012_01C27DD2.75377C90
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_001_0012_01C27DD2.75377C90"
>
> ------=_NextPart_001_0012_01C27DD2.75377C90
> Content-Type: text/plain
> Content-Transfer-Encoding: 8bit
>
> VdjHWHERJYL
>
> ------=_NextPart_001_0012_01C27DD2.75377C90
> Content-Type: text/html
> Content-Transfer-Encoding: 8bit
>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;
> charset=iso-8859-1">
> </head>
> <body bgcolor="#804000" text="#000000">
> <p><a href="http://[EMAIL PROTECTED]/index.php"><img
> src="cid:pic.gif"; width="340" height="123" border="0"></a>
> </p>
> <p><font color="#804077">Hey oBKTIGcLGNK Amnon1 rXXcp</font></p>
> <p><font color="#804022">2069 735</font></p>
> <p><a
> href="http://[EMAIL PROTECTED]/index.php?Xp
> 9MH7p"><img
> src="cid:pic1.gif"; width="120" height="15" border="0"></a>
> </p>
> </body>
> </html>
*snip*
rawbody MY_PIC_GIF1 /cid.pic\d{1,2}?\.gif/i
describe MY_PIC_GIF1 pic.gif with cid found.
rawbody MY_PIC_GIF2 /("|\=|\<)pid\d{1,2}?\.gif("|\>|\b)/i
describe MY_PIC_GIF2 pic.gif found as attachment.
this should work. Score to taste.
(I can never remember if the '=' needs to be escaped or not.)
Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
"A little nonsense now and then, is relished by the wisest men." - Willy
Wonka
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
![cid:pic.gif"](cid:pic.gif"){kind=link}
![cid:pic1.gif"](cid:pic1.gif"){kind=link}