On 10/23/2012 10:48 PM, John Hardin wrote:
On Tue, 23 Oct 2012, Kevin A. McGrail wrote:
My thoughts were to ignore any binary attachments.
I don't think that's justified. I'm beginning to see a resurgence of
image spams that the OCR plugin would probably catch. Plus I fairly
regularly see 419 spams with the body of the pitch in a PDF or MS Word
document attachment.
SA never scanned binary attachements and the chunk method wouldn't
change that, just apply rules to content for which it was not designed for.
PDF/Word attachments need to be detected by checksum or other newer
methods, but definitely not by the existing rule methods.
You won't get anything useful with a raw/body rule or any other regex
scanner out of an encoded chunk of an attachment.
Stuff like PDFinfo, Imageinfo, etc are the kind of plugis required to do
foo against attachements.
