Bug 7863 - Suggest rule to score messages with attachments
Summary: Suggest rule to score messages with attachments
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-23 11:54 UTC by ricardo.matos
Modified: 2021-04-15 05:11 UTC (History)
4 users (show)



Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description ricardo.matos 2020-10-23 11:54:20 UTC

    
Comment 1 ricardo.matos 2020-10-23 12:04:32 UTC

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

mimeheader __MIMEHEADER_CONTENTTYPE_ATTACHMENT_DOC Content-Type =~ /\.(doc|xls|ppt)(x|)/i
mimeheader __MIMEHEADER_CONTENTDISP_ATTACHMENT_DOC Content-Disposition =~ /\.(doc|xls|ppt)(x|)/i

meta MIMEHEADER_ATTACHMENT_DOC ((__MIMEHEADER_CONTENTDISP_ATTACHMENT_DOC || __MIMEHEADER_CONTENTTYPE_ATTACHMENT_DOC) && !(ALL_TRUSTED))
describe MIMEHEADER_ATTACHMENT_DOC HEADER: email contains a DOC file attachment
score MIMEHEADER_ATTACHMENT_DOC 1.5

mimeheader __MIMEHEADER_CONTENTTYPE_ATTACHMENT_ARCH Content-Type =~ /\.(rar|zip|tar|img)/i
mimeheader __MIMEHEADER_CONTENTDISP_ATTACHMENT_ARCH Content-Disposition =~ /\.(rar|zip|tar|img)/i

mimeheader __MIMEHEADER_CONTENTDISP_ANY Content-Disposition =~ /./i

meta MIMEHEADER_ATTACHMENT_ARCH ((__MIMEHEADER_CONTENTDISP_ATTACHMENT_ARCH || __MIMEHEADER_CONTENTTYPE_ATTACHMENT_ARCH) && !ALL_TRUSTED)
describe MIMEHEADER_ATTACHMENT_ARCH HEADER: email contains an archive file attachment
score MIMEHEADER_ATTACHMENT_ARCH 0.1

mimeheader __MIMEHEADER_CONTENTTYPE_ATTACHMENT_HTML Content-Type =~ /\.htm(l|)/i

mimeheader __MIMEHEADER_CONTENTDISP_ATTACHMENT_HTML Content-Disposition =~ /\.htm(l|)/i

meta MIMEHEADER_ATTACHMENT_HTML (__MIMEHEADER_CONTENTDISP_ATTACHMENT_HTML || __MIMEHEADER_CONTENTTYPE_ATTACHMENT_HTML)
describe MIMEHEADER_ATTACHMENT_HTML HEADER: email contains a HTML file attachment
score MIMEHEADER_ATTACHMENT_HTML 1.0

mimeheader __MIMEHEADER_CONTENTTYPE_ATTACHMENT_JAR Content-Type =~ /application.*\.(jar|js|bat|exe|com|sh|vb|vbs|pif)"/i

mimeheader __MIMEHEADER_CONTENTDISP_ATTACHMENT_JAR Content-Disposition =~ /\.(jar|js|bat|exe|com|sh|vb|vbs|pif)"/i

meta MIMEHEADER_ATTACHMENT_JAR (__MIMEHEADER_CONTENTDISP_ATTACHMENT_JAR || __MIMEHEADER_CONTENTTYPE_ATTACHMENT_JAR)
describe MIMEHEADER_ATTACHMENT_JAR HEADER: email contains a JAR (or other executable) file attachment
score MIMEHEADER_ATTACHMENT_JAR 2.0

endif
Comment 2 Kevin A. McGrail 2021-03-14 06:12:13 UTC
Hi Ricardo, with the exception of scoring JAR files, this looks like an interesting framework to build on for attachment detection using the MIMEHeader plugin.

Could you discuss in on the users list more?  Are you using this in your rules?  Have you improved it more?
Comment 3 John Hardin 2021-03-14 15:21:41 UTC
There are already quite a few "message has attachment of type X" rules.
Comment 4 Henrik Krohns 2021-04-08 11:36:20 UTC
There's really no point to these kinds of rules in stock ruleset, every site has different attachment policies. Others might want to allow something that others might not. It would be impossible to masscheck reliably, so everything would be scored 0.001. Or you would have simply hundred different __ATTACHMENT_XYZ rules just taking space and memory, hoping that someone would use them instead of just making local rules like most probably do.

Also it's completely another thing to detect actual content vs relying on provided filename extension. Stuff like this should be a generic file type detection plugin.
Comment 5 Henrik Krohns 2021-04-15 05:11:16 UTC
Closing from lack of comments and I don't believe here's anything to consider for stock ruleset.