SA Bugzilla – Bug 7863
Suggest rule to score messages with attachments
Last modified: 2021-04-15 05:11:16 UTC
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __MIMEHEADER_CONTENTTYPE_ATTACHMENT_DOC Content-Type =~ /\.(doc|xls|ppt)(x|)/i mimeheader __MIMEHEADER_CONTENTDISP_ATTACHMENT_DOC Content-Disposition =~ /\.(doc|xls|ppt)(x|)/i meta MIMEHEADER_ATTACHMENT_DOC ((__MIMEHEADER_CONTENTDISP_ATTACHMENT_DOC || __MIMEHEADER_CONTENTTYPE_ATTACHMENT_DOC) && !(ALL_TRUSTED)) describe MIMEHEADER_ATTACHMENT_DOC HEADER: email contains a DOC file attachment score MIMEHEADER_ATTACHMENT_DOC 1.5 mimeheader __MIMEHEADER_CONTENTTYPE_ATTACHMENT_ARCH Content-Type =~ /\.(rar|zip|tar|img)/i mimeheader __MIMEHEADER_CONTENTDISP_ATTACHMENT_ARCH Content-Disposition =~ /\.(rar|zip|tar|img)/i mimeheader __MIMEHEADER_CONTENTDISP_ANY Content-Disposition =~ /./i meta MIMEHEADER_ATTACHMENT_ARCH ((__MIMEHEADER_CONTENTDISP_ATTACHMENT_ARCH || __MIMEHEADER_CONTENTTYPE_ATTACHMENT_ARCH) && !ALL_TRUSTED) describe MIMEHEADER_ATTACHMENT_ARCH HEADER: email contains an archive file attachment score MIMEHEADER_ATTACHMENT_ARCH 0.1 mimeheader __MIMEHEADER_CONTENTTYPE_ATTACHMENT_HTML Content-Type =~ /\.htm(l|)/i mimeheader __MIMEHEADER_CONTENTDISP_ATTACHMENT_HTML Content-Disposition =~ /\.htm(l|)/i meta MIMEHEADER_ATTACHMENT_HTML (__MIMEHEADER_CONTENTDISP_ATTACHMENT_HTML || __MIMEHEADER_CONTENTTYPE_ATTACHMENT_HTML) describe MIMEHEADER_ATTACHMENT_HTML HEADER: email contains a HTML file attachment score MIMEHEADER_ATTACHMENT_HTML 1.0 mimeheader __MIMEHEADER_CONTENTTYPE_ATTACHMENT_JAR Content-Type =~ /application.*\.(jar|js|bat|exe|com|sh|vb|vbs|pif)"/i mimeheader __MIMEHEADER_CONTENTDISP_ATTACHMENT_JAR Content-Disposition =~ /\.(jar|js|bat|exe|com|sh|vb|vbs|pif)"/i meta MIMEHEADER_ATTACHMENT_JAR (__MIMEHEADER_CONTENTDISP_ATTACHMENT_JAR || __MIMEHEADER_CONTENTTYPE_ATTACHMENT_JAR) describe MIMEHEADER_ATTACHMENT_JAR HEADER: email contains a JAR (or other executable) file attachment score MIMEHEADER_ATTACHMENT_JAR 2.0 endif
Hi Ricardo, with the exception of scoring JAR files, this looks like an interesting framework to build on for attachment detection using the MIMEHeader plugin. Could you discuss in on the users list more? Are you using this in your rules? Have you improved it more?
There are already quite a few "message has attachment of type X" rules.
There's really no point to these kinds of rules in stock ruleset, every site has different attachment policies. Others might want to allow something that others might not. It would be impossible to masscheck reliably, so everything would be scored 0.001. Or you would have simply hundred different __ATTACHMENT_XYZ rules just taking space and memory, hoping that someone would use them instead of just making local rules like most probably do. Also it's completely another thing to detect actual content vs relying on provided filename extension. Stuff like this should be a generic file type detection plugin.
Closing from lack of comments and I don't believe here's anything to consider for stock ruleset.