2500 – Can't match against text in MIME attachment

Bug 2500 - Can't match against text in MIME attachment

Summary: Can't match against text in MIME attachment

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Libraries (show other bugs)
Version:	2.60
Hardware:	All All

Importance:	P5 enhancement
Target Milestone:	2.70
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:	1527
Blocks:
	Show dependency tree

Reported:	2003-09-24 09:19 UTC by Michael Brown
Modified:	2004-01-24 12:08 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Message with virus I'm trying to match against	text/plain			None	Michael Brown
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Brown 2003-09-24 09:19:12 UTC

I want to match against certain text in a MIME attachment. Specifically, I want to match against those 
damned SWEN worm messages. It attaches itself as Content-Type x-wav base64-encoded. I'd like to 
be able to match against part of that encoding, for instance:

rawbody OT_WORM_SWEN     
/c1xzd2VuMS5kYXQAAAAAJXNcc3dlbjAuZGF0AAAAACVzXG5udHBncm91cHMuZGF0AAAAJX
NcZ2Vy/
describe OT_WORM_SWEN SWEN worm, mailing itself out as an 'update' or message.
score OT_WORM_SWEN    10.00

but it doesn't work.

I also tried matching against something like:
rawbody OT_MISLEADINGCONTENTTYPE     /Content-Type: audio\/x-wav; name=".*\.(com|exe)"/
describe OT_MISLEADINGCONTENTTYPE SWEN worm, mailing itself out as an 'update' or 
message.
score OT_MISLEADINGCONTENTTYPE    10.00

but that didn't work either. That might be a handy thing to support. :)

Comment 1 Michael Brown 2003-09-24 09:38:25 UTC

Created attachment 1422 [details]
Message with virus I'm trying to match against

Comment 2 Malte S. Stretz 2003-09-24 10:31:51 UTC

That will probably be part of Theo's rewrite/port of the MIME parser :o)

Comment 3 Theo Van Dinter 2003-09-24 11:14:39 UTC

Subject: Re: [SAdev]  Can't match against text in MIME attachment

On Wed, Sep 24, 2003 at 10:40:01AM -0700, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> That will probably be part of Theo's rewrite/port of the MIME parser :o) 

:)  Actually, a quick look at the message makes it seem like there's
nothing wrong with it, so I don't know why MICROSOFT_EXECUTABLE and such
wouldn't hit.  <shrug>

My new parser doesn't quite work on the message yet -- apparently
decode_qp() is now deprecated, according to the error message I get. :(

Comment 4 Michael Brown 2003-09-24 11:48:31 UTC

Sure, MICROSOFT_EXECUTABLE does get hit, but I want to be able to match a string, say 
"c1xzd2VuMS5kYXQAAAAAJXNcc3dlbjAuZGF0AAAAACVzXG5udHBncm91cHMuZGF0AAAA
JXNcZ2Vy" against the entire message.

Comment 5 Theo Van Dinter 2004-01-24 21:08:41 UTC

yes and no.  rawbody would let you match against this, except rawbody is for text/message parts 
only.  but since looking for viruses isn't what spamassassin does, I'm not worrying about this.