At least a dozen of our users got emails last night with subject "1" (no quotes), a minimal header, and a MIME body with a text/html part containing just "1" and an attachment 1.txt . A sample is included below, with only the recipient address and domain altered.
I am guessing it's a broken spam zombie, but naturally some of my users are worried that it's a virus. I tried to write a rule to mark them as spam, and ended up with: header __PT_1SUB Subject =~ /^1$/ header __PT_1MPM Content-Type =~ /multipart\/mixed/ meta PT_1MAIL __PT_1SUB && __PT_1MPM describe PT_1MAIL weird attachment 1.txt (score to taste) However, I was unable to match the filename in the MIME header, even with a "full" rule. According to Matt Kettler: > full - entire message, with all headers, all mime segments, > and no decoding. Just raw, as it was on the wire. Why doesn't this work, then? full PT_1ATT /filename..1\.txt/ Pierre Thomson BIC Received: from user-f7hjchw21s.net ([61.73.133.132]) by mail.domain.com (8.11.6/8.11.6) with SMTP id j6N2iX723331 for <[EMAIL PROTECTED]>; Fri, 22 Jul 2005 22:44:33 -0400 Date: Sat, 23 Jul 2005 11:44:32 +0900 To: "Username" <[EMAIL PROTECTED]> From: "Username" <[EMAIL PROTECTED]> Subject: 1 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------ihfigydteefnxwqftmrv" ----------ihfigydteefnxwqftmrv Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit <html><body> 1<br><br> <br> </body></html> ----------ihfigydteefnxwqftmrv Content-Type: application/octet-stream; name="1.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="1.txt" ICA=x ----------ihfigydteefnxwqftmrv--