For HTML content, we can check the length with

 eval:html_eval('length', '< 384')

but I don't see anything similar for body or rawbody. For my purposes, the 
Content-Length from the spamc connection would do, but it doesn't seem to be 
exposed.

I see at least two plugins looking at length:

 ImageInfo.pm:  my $textlen = length(join('',@$body));
 TextCat.pm:  my $len = length($body);

but it seems a waste to make multiple in-memory copies a large message just to 
see how big it is.

The bigger picture: I'm working on some ISP/.edu phishing rules inspired by the 
old 419 rules... lots of words and short phrases indicating an attempt to get 
our account information (either through email or free web form sites), and a 
meta rule that fires only if there are several hits. Due to the risk of false 
positives on long messages, I'd only like to apply the rules to messages with 
short bodies. 
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529

Reply via email to