>> [snip]
>> body HAS_VBS_FILES eval:attachmentpresent_file_count('vbs')
>> describe HAS_VBS_FILES The e-mail has attached vbs files (or inside
>> archives)
>> score HAS_VBS_FILES 2.5
>
> This looks very interesting. The scores you've specified seem to be
> quite high, however. I'd probably make them much lower.In our case they work good enough to push over the spam message edge cases (new zombies etc) and its low enough for our real ham to survive. But ofcource this is just an example, you can (or not) use it any way you want. > > Is there any ability to determine if a particular attachment has a > Word macro enclosed in addition to just having a Word document? > This plugin just looks at filename extensions. And the main feauture is it also looks at files inside zip archives. So we use it to tag wsf, js, hta, ... files which get sent inside zip archives a lot. > Thanks, > Alex >
