On Thu, 2006-03-09 at 15:49 -0500, Theo Van Dinter wrote:
> On Thu, Mar 09, 2006 at 01:26:27PM -0500, Daryl C. W. O'Shea wrote:
> > I've never tried using the MIMEHeader plugin and haven't looked at its
> > code, but I believe it'll allow you to implement your example, looking
> > for a GIF filename. It doesn't provide the entire MIME data in one
> > chunk but it does allow you to match against a MIME header.
>
> Just for history sake, the reason we made a MIMEHeader plugin in the
> first place (included in 3.1) was because it was asked for in bug 3781
> by Loren. So I'm kind of surprised that it wasn't being used already.
>
i guess we could change the rule to use that plugin, and ifdef the
rule... but then when we udpate the ruleset, and RJD updates the users
rulesets, everyone that doesnt have the plugin loaded loses it, at least
until they figure out what changed.
i guess what i'm saying is, if you are not going to use full for any
core rules, it may be worth changing its behavior. or maybe a tflag
would be a good supplement for full rules.
full SARE_GIF_ATTACH Content-Type =~ /name=\"[a-z]{3,18}\.gif\"/
tflags SARE_GIF_ATTACH mimeonly
this would at least make full useable (and efficient), even in core, and
not break any 3rd party rules.
> > mimeheader SARE_GIF_ATTACH Content-Type =~ /name=\"[a-z]{3,18}\.gif\"/
>
> Yeah. That would work. I put a very similar rule into my sandbox the
> other day (3-5 character names are common in ham, fyi). :)
>
agreed.. we score it low, and meta it with the HTML_IMAGE_ONLY_* rules
to help hit the gif stock spam... which IMO we still score pretty low by
default.
thanks,
d
