Hello Phil,
The rule to detect forged The Bat! by message it It did exist several years
ago, I remember for sure (maybe it didn't come to production version of
SpamAssassin). That rule have checked if there were "X-Mailer: The Bat!" and
the "message id" was formed not the way The Bat! does.
I now only can find the following:
meta FORGED_MUA_THEBAT_CS (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED)
meta FORGED_MUA_THEBAT_BOUN (__THEBAT_MUA_V1 && __CTYPE_HAS_BOUNDARY &&
!__BAT_BOUNDARY && !__MAILMAN_21)
Maybe we should also add
meta FORGED_MUA_THEBAT_MSGID (__THEBAT_MUA && !__BAT_MSGID)
We should also modify the rule
header __BAT_BOUNDARY Content-Type =~ /boundary=\"?-{10}/
to something like
boundary=\"-{10}\[A-F0-9]{4,}\"
Since the quotes are always put by The Bat!, and after ten dash characters
there came from four up to many uppercase hexadecimal characters.
I guess we can change the rule FORGED_MUA_THEBAT_BOUN by replacing
__THEBAT_MUA_V1 to __THEBAT_MUA there, since this format of boundary is used in
any version of The Bat!
--
Best regards,
Maxim Masiutin mailto:[email protected]
--
Best regards,
Maxim mailto:[email protected]
