Bug 2478 - Virus appears to be able to hide from SpamAssassin with MIME
Summary: Virus appears to be able to hide from SpamAssassin with MIME
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.55
Hardware: Other Linux
: P3 major
Target Milestone: 2.70
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-19 07:22 UTC by Michael Brown
Modified: 2003-09-24 01:11 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Message which I can't match body text against text/plain None Michael Brown [HasCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Brown 2003-09-19 07:22:34 UTC 
I have a message (the message is from the SWEN worm going around) and I'm unable to create a 
SpamAssassin rule for it! SA just won't match on any text, be it body or rawbody. I figure it might 
hide because of it's weird MIME layering. See attached.

I'm trying to use:
body OT_FAKE_MS_PATCH   /latest version of security update/i
describe OT_FAKE_MS_PATCH  Fake Microsoft patches
score OT_FAKE_MS_PATCH  10.00

but it just won't match.
Comment 1 Michael Brown 2003-09-19 07:24:28 UTC 
Created attachment 1403 [details]
Message which I can't match body text against
Comment 2 Dave Harvey 2003-09-19 13:26:21 UTC 
I agree, and I can't match on full, body or rawbody.  As this virus is so 
widespread, I have a horrible feeling that by tommorrow, every spammer int hw 
world will have realised how to get straight past spamassassin if we can't fx 
this soon.  Ideally, a suggestion for a suitable rule would be great, but 
failing that, I'm happy to start poking around in the source if necessary!
Comment 3 Matthew Cline 2003-09-21 15:28:37 UTC 
What version of SA are you using?  With the latest CVS, this isn't a problem.
Comment 4 Michael Brown 2003-09-22 13:53:13 UTC 
I'm using 2.55, hence why I posted the bug against SA 2.55
Comment 5 Michael Brown 2003-09-24 09:11:23 UTC 
Confirmed fixed in 2.60.