Cedric Knight a écrit :
> Jeremy Morton wrote:
>> Recently I've been receiving some new image spams, subtly different
>> from the one this rule is designed to mark:
>> http://markmail.org/message/zio642mxs5p42kxa
>>
>> ... in that it actually does have a blank text MIME part.
>>
>> Here's an example of one such spam:
>> http://rafb.net/p/ppyJAS34.html
>
> Actually, there only seems to be one MIME part in what you have pasted,
> so amending John's rule and the inbuilt one as follows should do it:
>
> header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\//i
>
> because I've also recall them coming in as multipart/related. The
> inbuilt rule only looked for "image/jpeg", so:
>
> mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpe?g|png)/
>
> I don't think image/jpg is a standard MIME type, so we could also create:
>
> mimeheader MIME_IMAGE_JPG Content-Type =~ /image\/jpg/
> describe MIME_IMAGE_JPG contains wrong MIME type image\/jpg
> score MIME_IMAGE_JPG 1.0
>
how about
header __CTYPE_MULTIPART Content-Type =~ m{multipart/\w}i
mimeheader __MIME_CTYPE_IMAGE Content-Type =~ m{image/\w}
mimeheader __MIME_CTYPE_TEXT Content-Type =~ m{text/\w}
meta MULTIPART_IMG_NO_TEXT (__CTYPE_MULTIPART && __CTYPE_IMAGE &&
!__CTYPE_TEXT)
> Also, it's not really a JPEG but a PNG, and one with a consistent header
> over the last few weeks:
>
> full PILL_IMAGE_PNG_HEAD
> /^U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAADAUExU/m
> describe PILL_IMAGE_PNG_HEAD 2nd line of base64 of autogenerated PNG
> score PILL_IMAGE_PNG_HEAD 1.5
>
> I have seen spam come as you say with a minimal body part, as in:
>
> rawbody PILL_IMAGE_HTML /<body bgcolor="\#ffffff"
> text="\#000000">\s<img src="[a-z]+.(?:png|jpe?g|gif)">\s<\/body>/s
> describe PILL_IMAGE_HTML Very simple HTML part as in image-only
> May 09
> score PILL_IMAGE_HTML 0.1
>
> I think image with not text in the body part at all is pretty rare, but
> I might do something like that if I was sending a picture to myself.
>
> Meta rules based on some combination of the above could probably catch
> it all at the moment. Your sample hit DCC_CHECK and BAYES_80 for me,
> but not the iXhash rules.
>
> Hope these are of some use.
>
> CK
>
>
>
