* Jo Rhett wrote (16/08/07 07:41):
Since nobody is paying attention
Or they're asleep. Your messages were at 23:44 and 07:41 here.
, let me clarify. The current rule is
wrong:
mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~
/^application\/octet-stream.*\.pdf/i
meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP &&
__TVD_MIME_ATT && !__TVD_BODY
This evaluates to exactly the same as this:
meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP && !__TVD_BODY
I believe that the original rule's intent was this:
meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT && !__TVD_BODY
I don't think you're right.
The rule looks like this to me:
meta TVD_PDF_FINGER01
__TVD_MIME_CT_MM # content-type is multi-part mixed
&& __TVD_MIME_ATT_TP # and has a text-plain part
&& __TVD_MIME_ATT # and has an attachment that is either
__TVD_MIME_ATT_AP # application/pdf
__TVD_MIME_ATT_AOPDF # or application/octet-stream.*.pdf
&& !__TVD_BODY # and has no non-whitespace text content
Your rule would seem to match anything with no non-whitespace text
content regardless of whether or not a pdf was attached.
I was looking into this very rule about 3 days ago, because of false
positives (client mailing out auto-generated pdfs which are being
rejected by messagelabs), and I found that spamassassin -D told me all I
needed to know about why some e-mail hit this rule and some didn't.
Chris
