[Mimedefang] filters for subject content

james.madill at duke.edu james.madill at duke.edu
Mon Feb 9 14:07:02 EST 2004


> Hi,
>    I would like to set some filters to look at the subject line of 
> an email. I have found some codes on a spam assassin webpage and 
> would like to know where I would paste them in to the mimedefang 
> filter (that's if they are in the correct format to work).
> 
> Code:
> 
> ###################################################################################
> Subject #####
> header Y_SUBJ_RE_RANDOM_TEXT   Subject =~ /Re: [A-Z]{2,},(?: [a-z]+!?)+/
> describe Y_SUBJ_RE_RANDOM_TEXT   Fishy subject Re: CAPS, lowercase nonsense
> 
> header Y_SUBJ_PRIVATE_DOT   Subject =~ /^Private\.$/
> describe Y_SUBJ_PRIVATE_DOT   Subject is `Private.'
> 
> header Y_SUBJ_ONLY_BUCKS   Subject =~ /\bonly \$[0-9]+/i
> describe Y_SUBJ_ONLY_BUCKS   Subject contains `only $nnn'
> 
> header Y_SUBJ_PARIS_HILTON   Subject =~ /\bparis hilton\b/
> describe Y_SUBJ_PARIS_HILTON   Subject contains `paris hilton'
> 
> header Y_SUBJ_EMPTY      Subject =~ /^\s*$/
> describe Y_SUBJ_EMPTY      Subject is empty
> 
> header Y_SUBJ_EMPTY_RE      Subject =~ /^Re:\s*$/i
> describe Y_SUBJ_EMPTY_RE   Subject is empty Re:
> 
> header Y_SUBJ_WEIGHT_OBF   Subject =~ /\bwe;ght\b/
> describe Y_SUBJ_WEIGHT_OBF   Subject contains obfuscated `weight'
> 
> header Y_SUBJ_VIAGRA_OBF   Subject =~ /\bV[l|;ií!].?[aáä@]g.?r.?[aáä@]/i
> describe Y_SUBJ_VIAGRA_OBF   Subject contains possibly obfuscated `Viagra'
> 
> header Y_SUBJ_XANAX_OBF      Subject =~ /\bX(a|@|\(a\))n[a@]x/i
> describe Y_SUBJ_XANAX_OBF   Subject contains possibly obfuscated `Xanax'
> 
> # XXX: doesn't work, it's decoded by sa
> # anyway, we need a check for any encoded subject that is in fact ascii
> #header Y_SUBJ_LATIN1_B64   Subject =~ /^=\?iso-8859-1\?b\?[^=]+=*\?=$/i
> #describe Y_SUBJ_LATIN1_B64   Subject is BASE64 encoded ISO-8859-1
> 
> # vim: set ts=8 sw=8 noet :
> 
> 
> 
> so what do you think? Will this work in the mimedefang filter? And 
> where in the filter would I paste it in?
> 
> cheers
> 
> andi

I believe you would add your code to filter_begin in mimedefang-filter

You would want something like the following (untested) code:


my($msgSubject);
my($hfile) = "HEADERS";

# Parse the input stream:
if (!open(HEADERS, $hfile)) {
	fatal("$MsgID: couldn't open $hfile: $!");
	signal_complete();
	return -1;
}
while(<HEADERS>){
	chomp;
	$line = $_;
	$idx = index($line, "Subject: ");
	if ($idx == 0){
		$msgSubject = substr($line, 9);
	}
}
close HEADERS;

# Now perform the regular expression compares...
if (($msgSubject =~ /Re: [A-Z]{2,},(?: [a-z]+!?)+/) ||
	($msgSubject =~ /^Private\.$/) ||
	($msgSubject =~ /\bonly \$[0-9]+/i) ||
	($msgSubject =~ /\bparis hilton\b/) ||
	($msgSubject =~ /^\s*$/) ||
	($msgSubject =~ /^Re:\s*$/i) ||
	($msgSubject =~ /\bwe;ght\b/) ||
	($msgSubject =~ /\bV[l|;ií!].?[aáä@]g.?r.?[aáä@]/i) ||
	($msgSubject =~ /\bX(a|@|\(a\))n[a@]x/i) ||
	($msgSubject =~ /^=\?iso-8859-1\?b\?[^=]+=*\?=$/i)){

	# do with the message as you want here...
}

You might not even need to read the HEADERS file if the subject line is already in an accessible variable.  My implementation of MIMEDefang is only used to check for a header tag inserted by an external anti-spam system, so I have to read the HEADERS file.


-- James

     o o o o o o o . . .   _______________________ ________=======_T___
   o      _____            |James Madill         | |Duke U. Health Sys|
>.][__n_n_| D[  ====|____  |james.madill at duke.edu| |  (919) 286-6384  |
 (________|__|_[____/____]_|_____________________|_|__________________|
_/oo  O-O-O  `  oo     oo  'o^o^o           o^o^o` 'o^o            o^o`
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
<http://www.duke.edu/~madil001/>



More information about the MIMEDefang mailing list