We have seen attempts to hide or disguise spam content by abusing the traditional plain-text signature marker, placing the actual content after this. Resulting in an almost completely empty body before a signature marker and a lot of content after this marker.

Certain limitations for body rules -- notably SA splitting up the body in chunks before running regex body rules -- render it impossible to implement this in plain regex-based rules.


We implemented a set of eval() rules (operating on the first text/plain MIME part) for the stock BodyEval plugin which support the usage of signature length and body-without-signature length in SA body or meta rules.

For both the body and signature, SA rules to check min and max lengths or ranges are supported, as well as directly checking the body to signature ratio.


plaintext_body_sig_ratio: eval() rules for the (first text/plain MIME part's) body and signature lengths and ratio

trunk:
 Sending        lib/Mail/SpamAssassin/Plugin/BodyEval.pm
 Transmitting file data .done
 Committing transaction...
 Committed revision 1885213.

3.4 branch:
 Sending        lib/Mail/SpamAssassin/Plugin/BodyEval.pm
 Transmitting file data .done
 Committing transaction...
 Committed revision 1885214.


Easy backport for the 3.4 branch and completely optional, un-intrusive, not changing existing code. Thus safe to commit to 3.4 branch.