Hello guys,
I have the following SA rule which is supposed to block base64 encoded
mails:
body EN_BASE64_B /(Content-Transfer-Encoding:
base64\sContent-Type: text\/(plain|html);
charset="?utf-8"?)|(Content-Type: text\/(plain|html);
charset="?utf-8"?\sContent-Transfer-Encoding: base64)/i
describe EN_BASE64_B TEXT OR HTML B64 ENCODED
score EN_BASE64_B 5
this is the mail that i want to stop:
--------------------------
(... header header...)
X-Scanned-By: MIMEDefang 2.79 # last header line here
--Boundary_(ID_xxxxxx)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
SGVsbG8hIA0KDQpIYXZlIHlvdSAgc2VlbiAgdGhpcz8gIFlvdSd2ZSBnb3Qg
dG8gdGFrZSAgYSBsb29rLCB0aGF0J3MgYXdlc29tZSwgcmVhZGluZyAgbW9y
ZSBoZXJlIGh0dHA6Ly93d3cuZHVydXNhbGlzLmx0L2JjaC5waHA/a3lnDQoN=
--Boundary_(ID_IcM7JgudOk13I7fXE7a3Zw)--
-------------------------
the rule don't match for this mail, but it match when i had an empty
line like this:
--Boundary_(ID_xxxxxx)
#empty line here
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
How can i do to match the both, with the empty line and without it? THANK'S
Regards,
S.AQARIDEN.
Signature Academique