At least a dozen of our users got emails last night with subject "1" (no
quotes), a minimal header, and a MIME body with a text/html part containing
just "1" and an attachment 1.txt . A sample is included below, with only the
recipient address and domain altered.
I am guessing it's a broken spam zombie, but naturally some of my users are
worried that it's a virus. I tried to write a rule to mark them as spam, and
ended up with:
header __PT_1SUB Subject =~ /^1$/
header __PT_1MPM Content-Type =~ /multipart\/mixed/
meta PT_1MAIL __PT_1SUB && __PT_1MPM
describe PT_1MAIL weird attachment 1.txt
(score to taste)
However, I was unable to match the filename in the MIME header, even with a
"full" rule. According to Matt Kettler:
> full - entire message, with all headers, all mime segments,
> and no decoding. Just raw, as it was on the wire.
Why doesn't this work, then?
full PT_1ATT /filename..1\.txt/
Pierre Thomson
BIC
Received: from user-f7hjchw21s.net ([61.73.133.132])
by mail.domain.com (8.11.6/8.11.6) with SMTP id j6N2iX723331
for <[EMAIL PROTECTED]>; Fri, 22 Jul 2005 22:44:33 -0400
Date: Sat, 23 Jul 2005 11:44:32 +0900
To: "Username" <[EMAIL PROTECTED]>
From: "Username" <[EMAIL PROTECTED]>
Subject: 1
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------ihfigydteefnxwqftmrv"
----------ihfigydteefnxwqftmrv
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
1<br><br>
<br>
</body></html>
----------ihfigydteefnxwqftmrv
Content-Type: application/octet-stream; name="1.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="1.txt"
ICA=x
----------ihfigydteefnxwqftmrv--
