For HTML content, we can check the length with
eval:html_eval('length', '< 384')
but I don't see anything similar for body or rawbody. For my purposes, the
Content-Length from the spamc connection would do, but it doesn't seem to be
exposed.
I see at least two plugins looking at length:
ImageInfo.pm: my $textlen = length(join('',@$body));
TextCat.pm: my $len = length($body);
but it seems a waste to make multiple in-memory copies a large message just to
see how big it is.
The bigger picture: I'm working on some ISP/.edu phishing rules inspired by the
old 419 rules... lots of words and short phrases indicating an attempt to get
our account information (either through email or free web form sites), and a
meta rule that fires only if there are several hits. Due to the risk of false
positives on long messages, I'd only like to apply the rules to messages with
short bodies.
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529
