SA Bugzilla – Bug 2500
Can't match against text in MIME attachment
Last modified: 2004-01-24 12:08:41 UTC
I want to match against certain text in a MIME attachment. Specifically, I want to match against those damned SWEN worm messages. It attaches itself as Content-Type x-wav base64-encoded. I'd like to be able to match against part of that encoding, for instance: rawbody OT_WORM_SWEN /c1xzd2VuMS5kYXQAAAAAJXNcc3dlbjAuZGF0AAAAACVzXG5udHBncm91cHMuZGF0AAAAJX NcZ2Vy/ describe OT_WORM_SWEN SWEN worm, mailing itself out as an 'update' or message. score OT_WORM_SWEN 10.00 but it doesn't work. I also tried matching against something like: rawbody OT_MISLEADINGCONTENTTYPE /Content-Type: audio\/x-wav; name=".*\.(com|exe)"/ describe OT_MISLEADINGCONTENTTYPE SWEN worm, mailing itself out as an 'update' or message. score OT_MISLEADINGCONTENTTYPE 10.00 but that didn't work either. That might be a handy thing to support. :)
Created attachment 1422 [details] Message with virus I'm trying to match against
That will probably be part of Theo's rewrite/port of the MIME parser :o)
Subject: Re: [SAdev] Can't match against text in MIME attachment On Wed, Sep 24, 2003 at 10:40:01AM -0700, bugzilla-daemon@bugzilla.spamassassin.org wrote: > That will probably be part of Theo's rewrite/port of the MIME parser :o) :) Actually, a quick look at the message makes it seem like there's nothing wrong with it, so I don't know why MICROSOFT_EXECUTABLE and such wouldn't hit. <shrug> My new parser doesn't quite work on the message yet -- apparently decode_qp() is now deprecated, according to the error message I get. :(
Sure, MICROSOFT_EXECUTABLE does get hit, but I want to be able to match a string, say "c1xzd2VuMS5kYXQAAAAAJXNcc3dlbjAuZGF0AAAAACVzXG5udHBncm91cHMuZGF0AAAA JXNcZ2Vy" against the entire message.
yes and no. rawbody would let you match against this, except rawbody is for text/message parts only. but since looking for viruses isn't what spamassassin does, I'm not worrying about this.