Could you post the full headers of that message with PGP, as well as any boundary code that might have been above the PGP signature. I could only find one example in 7 years of E-mail :) Just to be responsible with resources, it would be better to search the headers rather than the body. If folks haven't realized this yet, filtering the entire body with attachments can pull a lot of processing power, and it can be bad with very large files. My dual 1 Ghz machine that generally bounces in the low single digits pulled about 50% for several seconds on a 14 MB attachment using a different filter with over 1,000 lines of BODY CONTAINS. I assume that PGP signatures should be marked in the headers as an attachment, i.e. application/pgp-signature. If there are exceptions to this, then the BODY makes sense.
This is still a filter in progress. I have another false positive that I just caught from an inline image that didn't trip the BASE64 filter or contain the attachment marker. This is accepted behavior for E-mail, so I'm going to have to figure out another way to not score such content. It will probably end up necessary to place the exception testing in a different filter so that it doesn't hit more than one exception at a time. Spammers use inline images on a rare occasion and I would hate to take extra points away from them.
And thanks to Kami for the kind words :)
BTW, both gibberish filters should remove the qo combination due to 'QO'S. I'll post another copy of my file when I figure out the PGP and inline problems. If anyone has any pointers on other inline Base64 stuff, I'd appreciate hearing it. It's important to exclude everything that the BASE64 test doesn't catch, so knowing the strict criteria there helps (i.e. what does it look for). This might also include needing to exclude some inline text, I'm not sure yet. Still works pretty good though.
Thanks,
Matt
Joshua Levitsky wrote:
Question: Below is a PGP signed message. Notice that it will fail your gibberish body test. I would suggest that just like you look for attachment in the body, that you also give -5 points to "BEGIN PGP SIGNATURE" because you are for sure going to see gibberish contained in a PGP or GPG signature.
Hope this helps in your spam fighting.
-Josh
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
n Sep 12, 2003, at 5:15 PM, Matthew Bramble wrote:
Frederick Sama
-----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2
iQA/AwUBP2JPAXx8sPj6XQb+EQLuaACgi2cdS7XaOKLfIaVCJ96un+/iGc8AnjBq DtlxcebkqwzfEpYOzCDFo5CG =m4KE -----END PGP SIGNATURE-----
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
