Hi Kai,
> -----Original Message-----
> From: Kai MacTane
> body IMAGE_ATTACHMENT /filename=\"[^\"]+\.(gif|jpe?g)\"/i
> describe IMAGE_ATTACHMENT Has a GIF or JPEG attachment.
> score IMAGE_ATTACHMENT 0.1
>
> rawbody RAW_IMAGE_ATTACHMENT /filename=\"[^\"]+\.(gif|jpe?g)\"/i
> describe RAW_IMAGE_ATTACHMENT Has a GIF or JPEG attachment.
> score RAW_IMAGE_ATTACHMENT 0.1
>
> rawbody CAREFUL_IMAGE_ATTACHMENT /^Content-Disposition:
> attachment;\s+filename=\"[^\"]+\.(gif|jpe?g)\"/i
> describe CAREFUL_IMAGE_ATTACHMENT Has GIF or JPEG Content-Disposition.
> score CAREFUL_IMAGE_ATTACHMENT 0.1
Try something a little more simple to begin with. The following is from a
W32/Klez.eml infected message.
Content-Type: application/octet-stream;
name=kitty.exet
Content-Transfer-Encoding: base64
Content-ID: <Pxqqs4sCnE2K24nR1U8>
Content-Type: application/octet-stream;
name=08A_MB_PH[1].jpgt
Content-Transfer-Encoding: base64
Content-ID: <Pxqqs4sCnE2K24nR1U8>
Note: I added a t at the end of the extensions to bypass my filters.
No Content-Disposition field, the filename wraps, and a whitespace (tab)
before the filename. Outlook Express also tends to newline after
attachment;. You would probably be better off looking for the following:
rawbody RAW_IMAGE_ATTACHMENT /.*name=.*\.(pic|gif|jpe?g)("|$)/
--Larry
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
