*** SPAM *** Re: [Mimedefang] Rebuild Message before running SpamAssassin

Guido mimedefang.at.lists.roaringpenguin.com at starbase12.cjb.net
Thu May 13 05:32:47 EDT 2004 

On Monday 10 May 2004 15:05, Joseph Brennan wrote:
> --On Saturday, May 8, 2004 5:50 PM +0200 Guido
>
> <mimedefang.at.lists.roaringpenguin.com at starbase12.cjb.net> wrote:
> > The problem is that I want it to also scan textual attachments which have
> > the  content-type application/octet-stream.
>
> Q: What?  What software does THAT?  ...some file grepping ensues...
> A: Apple Mail.

<SNIP>

Apparently Apple Mail does do so too. But in my case it's an annoying Exchange 
server which replaces the virus executable code with a warning and forwards 
the message nicely. Blocking the server with my firewall is unfortunately not 
an option since I also need to receive legit mail from it.

>
> This looks like a nice Spamassassin evasion technique.  Just wait.
>
> Joseph Brennan
> Academic Technologies Group, Academic Information Systems (AcIS)
> Columbia University in the City of New York

It's indeed a nice SpamAssassin evasion technique.... but since I'd really 
love to have SpamAssassin triggered for these emails I have made the 
following change to SpamAssassin:


--- PerMsgStatus.pm     2004-05-10 15:20:30.000000000 +0200
+++ PerMsgStatus.pm     2004-05-10 15:26:18.000000000 +0200
@@ -933,7 +933,7 @@

   # if it's non-text, just return an empty body rather than the 
base64-encoded
   # data.  If spammers start using images to spam, we'll block 'em then!
-  if ($ctype =~ /^(?:image\/|application\/|video\/)/i) {
+  if ($ctype =~ /^(?:image\/|(application\/(?!octet-stream))|video\/)/i) {
     $self->{body_text_array} = [ ];
     return $self->{body_text_array};
   }
@@ -1014,7 +1014,8 @@

        if (/^Content-Type: (\S+?\/\S+?)(?:\;|\s|$)/i) {
          $ctype = $1;
-         if ($ctype =~ /^(text\/\S+|message\/\S+|multipart\/alternative|
multipart\/related)/i)
+         if (($ctype =~ /^(text\/\S+|message\/\S+|multipart\/alternative|
multipart\/related)/i)
+         or ($ctype =~ /^(application\/octet-stream)$/i ))
          {
            $ctypeistext = 1; next;
          } else {


In my case this seems to do the trick. And it was easier then rebuilding the 
message before feeding it into SpamAssassin. Additionally, had I rebuilded it 
first then the original HTML tags would already have been cleaned as well, so 
I believe this solution is the best one for my scenario. :)

Thanks,
Kind regards,

Guido

-- 
What will you do if all your problems aren't solved by the time you die?

More information about the MIMEDefang mailing list