On Mon, 3 Oct 2022, Loren Wilton wrote:
I'm getting a bunch of spams from fake gmail accounts that consist of one
short line of text and a 2 MB jpg file.
The subject and body text are pretty much random beyond that.
How do I check for the following?
--000000000000e345f305ea2680cd
Content-Type: image/jpeg; name="MMM.jpg"
Content-Disposition: attachment; filename="MMM.jpg"
Content-Transfer-Encoding: base64
Content-ID: <f_l8t6clr50>
X-Attachment-Id: f_l8t6clr50
I want to match on /^Content-Type: image\/jpeg;/ but I can't figure out how
to do that. rawbody doesn't seem to work.
Use the specific 'mimeheader' rule type:
mimeheader L_IMAGE3e Content-Type =~ m!image/jpe?g;!i
describe L_IMAGE3e Has JPG image attachment
score L_IMAGE3e 0.2
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
