Hello List,
I decided to publish a SA Plugin we use over here.
The Plugin will check if attachments with a certain file extension are
present in the mail. This can be either directly attached or inside a zip
archive.
It only supports zip and no other archive types (yet).
Its useful to create scoring or combination rules on the presence of
certain filetypes.
Example rules:
body __HAS_FILES eval:attachmentpresent_file_count()
describe __HAS_FILES The e-mail has attached files (or inside archives)
body HAS_JS_FILES eval:attachmentpresent_file_count('js')
describe HAS_JS_FILES The e-mail has attached javascript files (or inside
archives)
score HAS_JS_FILES 2.5
body HAS_DOCM_FILES eval:attachmentpresent_file_count('docm')
describe HAS_DOCM_FILES The e-mail has attached docm files (or inside
archives)
score HAS_DOCM_FILES 2.0
body HAS_HTA_FILES eval:attachmentpresent_file_count('hta')
describe HAS_HTA_FILES The e-mail has attached hta files (or inside archives)
score HAS_HTA_FILES 2.5
body HAS_WSF_FILES eval:attachmentpresent_file_count('wsf')
describe HAS_WSF_FILES The e-mail has attached wsf files (or inside archives)
score HAS_WSF_FILES 2.5
body HAS_VBS_FILES eval:attachmentpresent_file_count('vbs')
describe HAS_VBS_FILES The e-mail has attached vbs files (or inside archives)
score HAS_VBS_FILES 2.5
and so on...
This kind of functionality was discussed several times on this list, but
AFAIK there is not yet a plugin for this.
It can be found on CPAN
(https://metacpan.org/release/Mail-SpamAssassin-Plugin-AttachmentPresent)
and ofcource feedback is welcome.
Cheers,
Merijn
