Re: plugin to test attachments from unknown senders

Eric A. Hall Sat, 11 Aug 2007 13:09:11 -0700

On 7/14/2007 3:49 PM, Eric A. Hall wrote:
> Like other folks I've been getting hit with the PDF spam pretty hard. I
> think the way to solve this and the image spam in general is to do a
> plugin that does two things:
> 
>  1) looks in the message to see if there is a binary attachment
> 
>  2) looks in the AWL to see if the sender tuple is known
> 
>  3) if (1==true) && (2==false) fire a score


I was able to do this with basic rules. Note the low (0.1) scores. It
would be nice to use this as a DEFER check in the MTA, since resends will
hit the AWL rule and get cleared.

#
# This rule looks for in-line MIME Content-Type headers of various
# types, and then looks to see if the sender tuple is already known
# to the autowhitelist system. If the message contains a binary
# attachment and the sender tuple is unknown, fire a rule that tells
# us that the message is a gift from a stranger.
#

mimeheader      __L_C_TYPE_APP          Content-Type =~ /^application/i
mimeheader      __L_C_TYPE_IMAGE        Content-Type =~ /^image/i
mimeheader      __L_C_TYPE_AUDIO        Content-Type =~ /^audio/i
mimeheader      __L_C_TYPE_VIDEO        Content-Type =~ /^video/i
mimeheader      __L_C_TYPE_MODEL        Content-Type =~ /^model/i

meta            L_STRANGER_APP          (!AWL && __L_C_TYPE_APP)
score           L_STRANGER_APP          0.1
tflags          L_STRANGER_APP          noautolearn
priority        L_STRANGER_APP          1001 # defer till after AWL

meta            L_STRANGER_IMAGE        (!AWL && __L_C_TYPE_IMAGE)
score           L_STRANGER_IMAGE        0.1
tflags          L_STRANGER_IMAGE        noautolearn
priority        L_STRANGER_IMAGE        1001 # defer till after AWL

meta            L_STRANGER_AUDIO        (!AWL && __L_C_TYPE_AUDIO)
score           L_STRANGER_AUDIO        0.1
tflags          L_STRANGER_AUDIO        noautolearn
priority        L_STRANGER_AUDIO        1001 # defer till after AWL

meta            L_STRANGER_VIDEO        (!AWL && __L_C_TYPE_VIDEO)
score           L_STRANGER_VIDEO        0.1
tflags          L_STRANGER_VIDEO        noautolearn
priority        L_STRANGER_VIDEO        1001 # defer till after AWL

meta            L_STRANGER_MODEL        (!AWL && __L_C_TYPE_MODEL)
score           L_STRANGER_MODEL        0.1
tflags          L_STRANGER_MODEL        noautolearn
priority        L_STRANGER_MODEL        1001 # defer till after AWL



-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/

Re: plugin to test attachments from unknown senders

Reply via email to