On 7/14/2007 3:49 PM, Eric A. Hall wrote: > Like other folks I've been getting hit with the PDF spam pretty hard. I > think the way to solve this and the image spam in general is to do a > plugin that does two things: > > 1) looks in the message to see if there is a binary attachment > > 2) looks in the AWL to see if the sender tuple is known > > 3) if (1==true) && (2==false) fire a score
I was able to do this with basic rules. Note the low (0.1) scores. It would be nice to use this as a DEFER check in the MTA, since resends will hit the AWL rule and get cleared. # # This rule looks for in-line MIME Content-Type headers of various # types, and then looks to see if the sender tuple is already known # to the autowhitelist system. If the message contains a binary # attachment and the sender tuple is unknown, fire a rule that tells # us that the message is a gift from a stranger. # mimeheader __L_C_TYPE_APP Content-Type =~ /^application/i mimeheader __L_C_TYPE_IMAGE Content-Type =~ /^image/i mimeheader __L_C_TYPE_AUDIO Content-Type =~ /^audio/i mimeheader __L_C_TYPE_VIDEO Content-Type =~ /^video/i mimeheader __L_C_TYPE_MODEL Content-Type =~ /^model/i meta L_STRANGER_APP (!AWL && __L_C_TYPE_APP) score L_STRANGER_APP 0.1 tflags L_STRANGER_APP noautolearn priority L_STRANGER_APP 1001 # defer till after AWL meta L_STRANGER_IMAGE (!AWL && __L_C_TYPE_IMAGE) score L_STRANGER_IMAGE 0.1 tflags L_STRANGER_IMAGE noautolearn priority L_STRANGER_IMAGE 1001 # defer till after AWL meta L_STRANGER_AUDIO (!AWL && __L_C_TYPE_AUDIO) score L_STRANGER_AUDIO 0.1 tflags L_STRANGER_AUDIO noautolearn priority L_STRANGER_AUDIO 1001 # defer till after AWL meta L_STRANGER_VIDEO (!AWL && __L_C_TYPE_VIDEO) score L_STRANGER_VIDEO 0.1 tflags L_STRANGER_VIDEO noautolearn priority L_STRANGER_VIDEO 1001 # defer till after AWL meta L_STRANGER_MODEL (!AWL && __L_C_TYPE_MODEL) score L_STRANGER_MODEL 0.1 tflags L_STRANGER_MODEL noautolearn priority L_STRANGER_MODEL 1001 # defer till after AWL -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/