On Thu, 2010-06-03 at 19:44 -0700, cviebrock wrote:
> I'm trying to write a rule to catch a bunch of spam I'm getting recently that
> contain only an .RTF file. The filename, subject line, and other details
> vary, but the raw message body is always the same i.e. the base64 encoded
> RTF file.
>
> See the headers and first few lines of the email here, plus my attempted
> rule (which doesn't seem to be firing).
>
Are you certain that the string you're matching is common to all RTF
spam messages without being common to all RTF messages, e.g. a standard
RTF header?
I'm trapping all the RTF spam I'm getting by firstly recognising the RTF
attachment:
describe MG_RTF RTF text file
mimeheader MG_RTF Content-Type =~ /name\=\".{1,20}\.rtf\"/i
score MG_RTF 0.75
and using that in meta-rules that combine it with other information (I
don't accept RTF attachments from some mailing lists or if they're sent
to an address that I don't send mail from or use for subscriptions.
Martin
