Hi Kai, > -----Original Message----- > From: Kai MacTane
> body IMAGE_ATTACHMENT /filename=\"[^\"]+\.(gif|jpe?g)\"/i > describe IMAGE_ATTACHMENT Has a GIF or JPEG attachment. > score IMAGE_ATTACHMENT 0.1 > > rawbody RAW_IMAGE_ATTACHMENT /filename=\"[^\"]+\.(gif|jpe?g)\"/i > describe RAW_IMAGE_ATTACHMENT Has a GIF or JPEG attachment. > score RAW_IMAGE_ATTACHMENT 0.1 > > rawbody CAREFUL_IMAGE_ATTACHMENT /^Content-Disposition: > attachment;\s+filename=\"[^\"]+\.(gif|jpe?g)\"/i > describe CAREFUL_IMAGE_ATTACHMENT Has GIF or JPEG Content-Disposition. > score CAREFUL_IMAGE_ATTACHMENT 0.1 Try something a little more simple to begin with. The following is from a W32/Klez.eml infected message. Content-Type: application/octet-stream; name=kitty.exet Content-Transfer-Encoding: base64 Content-ID: <Pxqqs4sCnE2K24nR1U8> Content-Type: application/octet-stream; name=08A_MB_PH[1].jpgt Content-Transfer-Encoding: base64 Content-ID: <Pxqqs4sCnE2K24nR1U8> Note: I added a t at the end of the extensions to bypass my filters. No Content-Disposition field, the filename wraps, and a whitespace (tab) before the filename. Outlook Express also tends to newline after attachment;. You would probably be better off looking for the following: rawbody RAW_IMAGE_ATTACHMENT /.*name=.*\.(pic|gif|jpe?g)("|$)/ --Larry ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk