Re: PDF rule not matching -- split line content type?

Thu, 16 Aug 2007 09:47:42 -0700 

Chris Lear wrote:

* Jo Rhett wrote (16/08/07 07:41):

Since nobody is paying attention


Or they're asleep. Your messages were at 23:44 and 07:41 here.


, let me clarify.  The current rule is wrong:

mimeheader __TVD_MIME_ATT_AP    Content-Type =~ /^application\/pdf/i

mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ 
/^application\/octet-stream.*\.pdf/i



meta TVD_PDF_FINGER01  __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP && 
__TVD_MIME_ATT && !__TVD_BODY


This evaluates to exactly the same as this:


meta TVD_PDF_FINGER01  __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP && 
!__TVD_BODY


I believe that the original rule's intent was this:

meta TVD_PDF_FINGER01  __TVD_MIME_CT_MM && __TVD_MIME_ATT && !__TVD_BODY


I don't think you're right.

The rule looks like this to me:

meta TVD_PDF_FINGER01
__TVD_MIME_CT_MM             # content-type is multi-part mixed
&& __TVD_MIME_ATT_TP         # and has a text-plain part
&& __TVD_MIME_ATT            # and has an attachment that is either
    __TVD_MIME_ATT_AP    # application/pdf
    __TVD_MIME_ATT_AOPDF # or application/octet-stream.*.pdf
&& !__TVD_BODY               # and has no non-whitespace text content


Your rule would seem to match anything with no non-whitespace text 
content regardless of whether or not a pdf was attached.



I did a full analysis of why the rule is broken, line by line in the 
message you replied to.  But I'll do it again.


(dropping "__TVT_MIME_" for ease of typing)

ATT is a meta of ATT_AP *or* ATT_AOPDF.


But the PDF_FINGER01 requires ATT_TP as well as ATT.  This means that 
really it will only work if ATT_TP matches.  If ATT_A0PDF matches then 
it won't match.



No go back up and read the text I quoted at the top.  Because if this is 
the authors intent then you can shorten the rule, but I somehow don't 
think so.



I was looking into this very rule about 3 days ago, because of false 
positives (client mailing out auto-generated pdfs which are being 
rejected by messagelabs), and I found that spamassassin -D told me all I 
needed to know about why some e-mail hit this rule and some didn't.



Perhaps.  But maybe you have difficulty reading the line by line 
analysis I posted below, hm?  I have ~200 messages here that are 100% 
spam that would match the fixed rule, which seems to be the authors intent.


--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness






















					Reply via email to