On Fri, 2010-03-26 at 14:37 +0100, Jonas Eckerman wrote:
> On 2010-03-24 14:34, Martin Gregorie wrote:
>
> >> It's named MimeMagic and is available at
> >> <http://whatever.frukt.org/spamassassin.text.shtml>
> >>
> > Thanks, Jonas. That looks very useful. I've replaced my old
> > IMAGE_MISMATCH rule with an equivalent based on MimeMagic that uses:
>
> Please make sure to evaluate the results. As stated on the web page,
> still consider the plugin to be somewhat experimental, and I haven't had
> a lot of fedback on it.
>
I ran it on my collection of spam with images carrying the payload. It
caught one of the recent batch (image/jpg bit attached .BMP) and picked
on another that was also spotted by the original IMAGE_MISMATCH rule, so
it didn't generate any FPs on that collection or on my entire spam
collection. On that basis I've left it running.
> > header IMAGE_MISMATCH eval:mimemagic_mismatch_contenttype('jpg', 'gif',
> > 'png', 'bmp', 'svg')
>
> That will miss parts with MIME types image/jpeg or image/x-jpeg.
> Replacing jpg with jpe?g would be better.
>
Point. I realised I'd messed that one up but haven't yet fixed it.
> It will also miss anything where those substrings are not in the
> declared MIME type for the part. So a JPEG image with a .gif extensiuon
> and a application/octet-stream MIME type will not be catched.
>
That's fine - I only want to use it to spot cases where the MIME image/*
content type is lying about the contents of the attachment. In many of
my collected examples the MIME content type is correct so they're being
picked up via odd file names or no file name at all, which is very rare
in legit. mail.
> It will include parts where any of those strings happens to me
> substrings of any other MIME type, including non image ones. Not sure if
> that will ever matter though.
>
No, not in my rule set, anyway.
> A rule that should quite a lot of image types might be (just of the top
> of my head, utested):
> header IMAGE_MISMATCH eval:mimemagic_mismatch_datatype('image/')
>
> This should do a magic check on all parts, and see if any parts
> identified (by the freedesktop database) as image/* has a mismatched
> MIME type or file name extension.
>
When I have an idle moment I'll create a few test cases with GIMP or
Image Magick (at least one match and one mismatch for each image type in
the list) and run them past my IMAGE_MISMATCH rule and this suggestion
of yours.
Martin
