The rawbody rule finds the text/html part as non-empty, so __TVD_BODY is false, making the TVD_PDF_FINGER01 rule false.
On Tue, Aug 14, 2007 at 10:16:42PM -0700, Jo Rhett wrote:
> Can someone clue me in on why this rule isn't matching?
>
> Jo Rhett wrote:
> >So I've been getting a metric ton of PDF spam. Investigating the rule
> >that is supposed to match this, I see
> >
> >rawbody __TVD_BODY /\S{4}/
> >header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i
> >meta __TVD_MIME_ATT __TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF
> >meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP &&
> >__TVD_MIME_ATT && !__TVD_BODY
> >describe TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
> >
> >mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
> >mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~
> >/^application\/octet-stream.*\.pdf/i
> >
> >The following message appears to match perfectly with this, except for
> >perhaps that the content type is spread across two lines? I haven't
> >checked the code, but would this matter?
> >
> >Return-Path: <[EMAIL PROTECTED]>
> >Received: from mail.netconsonance.com ([unix socket])
> > by triceratops.netconsonance.com (Cyrus v2.3.8) with LMTPA;
> > Tue, 14 Aug 2007 06:27:16 -0700
> >Received: from [84.21.29.58] ([84.21.29.58])
> > by mail.netconsonance.com (8.14.1/8.14.1) with ESMTP id l7EDR4UU095951
> > for <[EMAIL PROTECTED]>; Tue, 14 Aug 2007 06:27:08 -0700 (PDT)
> > (envelope-from [EMAIL PROTECTED])
> >X-Virus-Scanned: amavisd-new at netconsonance.com
> >X-Spam-Score: 2.033
> >X-Spam-Level: **
> >X-Spam-Status: No, score=2.033 tagged_above=-999 required=4
> > tests=[DK_POLICY_SIGNSOME=0.001, HTML_MESSAGE=0.001,
> > MIME_HTML_MOSTLY=0.699, RCVD_IN_BL_SPAMCOP_NET=1.332]
> >Received: from x-6of7ca27m39al ([158.187.61.7]) by [84.21.29.58] with
> >Microsoft SMTPSVC(6.0.3790.1830);
> > Tue, 14 Aug 2007 15:27:01 +0200
> >Message-ID: <[EMAIL PROTECTED]>
> >From: "Yohann michels" <[EMAIL PROTECTED]>
> >To: [EMAIL PROTECTED]
> >Subject: bill-jrhett
> >Date: Tue, 14 Aug 2007 15:26:28 +0200
> >MIME-Version: 1.0
> >Content-Type: multipart/mixed;
> > boundary="----=_NextPart_000_000E_01C7DE87.7C1E24D0"
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Mailer: Microsoft Outlook Express 6.00.2900.3138
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
> >
> >
> >------=_NextPart_000_000E_01C7DE87.7C1E24D0
> >Content-Type: multipart/alternative;
> > boundary="----=_NextPart_001_000F_01C7DE87.7C1E24D0"
> >
> >
> >------=_NextPart_001_000F_01C7DE87.7C1E24D0
> >Content-Transfer-Encoding: quoted-printable
> >Content-Type: text/plain;
> > charset=windows-1250
> >
> >
> >------=_NextPart_001_000F_01C7DE87.7C1E24D0
> >Content-Transfer-Encoding: quoted-printable
> >Content-Type: text/html;
> > charset=windows-1250
> >
> ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> ><HTML><HEAD>
> ><META http-equiv=3DContent-Type content=3D"text/html; =
> >charset=3Dwindows-1250">
> ><META content=3D"MSHTML 6.00.2900.3132" name=3DGENERATOR>
> ><STYLE></STYLE>
> ></HEAD>
> ><BODY bgColor=3D#ffffff>
> ><DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
> >
> >------=_NextPart_001_000F_01C7DE87.7C1E24D0--
> >
> >------=_NextPart_000_000E_01C7DE87.7C1E24D0
> >Content-Transfer-Encoding: base64
> >Content-Type: application/octet-stream;
> > name=marketing-jrhett.pdf
> >Content-Disposition: attachment;
> > filename=marketing-jrhett.pdf
> >
> >JVBERi0xLjUNJeLjz9MNCjIyIDAgb2JqPDwvSFs0MzYgMTQ4XS9MaW5lYXJpemVkIDEvRSAxNjU5
> >
> >L0wgMTM1NzYvTiAxMC9PIDI2L1QgMTMwNzQ+Pg1lbmRvYmoNICAgICAgICAgICAgICAgICAgICAg
> >
> >
> >*snip*
> >
> >
>
>
> --
> Jo Rhett
> Net Consonance ... net philanthropy, open source and other randomness
--
Randomly Selected Tagline:
"Low probability events do happen, which is why people still play the lottery."
- Elizabeth Zwicky at LISA '99
pgphFsXCYIlP0.pgp
Description: PGP signature
