It's already been mentioned, but mimeheader is the right way to look
at the headers of MIME parts.
The rule of thumb is "if you are using 'full' you're probably doing it
wrong". :)
On Sun, Apr 26, 2009 at 11:57 AM, Charles Gregory <cgreg...@hwcn.org> wrote:
> On Sat, 25 Apr 2009, Gary Forrest wrote:
>>
>> We are receiving the same image spam many times, random text within the
>> body. The only common thing is a image attachment, with the filename in the
>> following format
>> DSL1234.png
>> I have made the following ' RAWBODY ' rule
>> /dsl[0-9]{4}\.png/i
>
> You need to use a 'full' rule to scan attachment names.
> While you are at it, you can also scan for
> full /Content-Type: image\/gif;\n[^a-z]+name=""/
>
> As this seems to be the next evolution of the spam. Nameless gifs.... :)
>
> Enjoy!
>
> - Charles
>
>
