Re: multiple maxhits to detect multiple attachments
On Thu, 13 Oct 2016, RW wrote: On Tue, 11 Oct 2016 17:02:35 -0400 Olivier Coutu wrote: I was wondering if mimeheader is designed to work with tflags multiple maxhits or did I overlook something? If it is not designed to work with it, would there be any workarounds to detect multiple attachments? A "full" rule would probably support "multiple". Most of the base rule types do (not, of course, meta). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where are my space habitats? Where is my flying car? It's 2010 and all I got from the SF books of my youth is the lousy dystopian government. -- perlhaqr --- 296 days since the first successful real return to launch site (SpaceX)
Re: multiple maxhits to detect multiple attachments
On Tue, 11 Oct 2016 17:02:35 -0400 Olivier Coutu wrote: > I was wondering if mimeheader is designed to work > with tflags multiple maxhits or did I overlook something? If it is > not designed to work with it, would there be any workarounds to > detect multiple attachments? > A "full" rule would probably support "multiple".
Re: multiple maxhits to detect multiple attachments
On Tue, 11 Oct 2016, Olivier Coutu wrote: I was wondering if mimeheader is designed to work with tflags multiple maxhits or did I overlook something? I don't think it is. The tflags multiple handling is in the RE processing code per-rule-type (e.g. "meta" doesn't implement it), and I think the mimeheader plugin implements its own special RE code that didn't get the tflags multiple changes... ...yeah, it looks like the loop exits as soon as it finds a hit: lib/Mail/SpamAssassin/Plugin/MIMEHeader.pm at line 199. File a bug to implement "tflags multiple" in MIMEHeader.pm If it is not designed to work with it, would there be any workarounds to detect multiple attachments? perhaps: rawbody __MIME_ATTACH_MULT /^Content-Disposition: / tflags__MIME_ATTACH_MULT multiple maxhits=3 but that has obvious drawbacks. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- [For Earth Day] Obama flew a 747 all the way to the Everglades then rode in a massive SUV motorcade to tell you to cut carbon emissions.-- Twitter satirist @hale_razor --- 294 days since the first successful real return to launch site (SpaceX)
multiple maxhits to detect multiple attachments
I'm attempting to detect when a file has multiple attachments. For a single attachment, this rule works pretty well mimeheader __Z_HAS_ATTCHMNTContent-Disposition =~ /attachment/i tflags __Z_HAS_ATTCHMNTmultiple maxhits=3 The multiple maxhits does not appear to work though. Here is an example email that has two attachements: grep attachment myeml.eml Content-Disposition: attachment; filename="foo.doc" Content-Disposition: attachment; filename="bar.docx" spamassassin -D 2>&1 < myeml.eml | grep ATTCH oct 11 16:49:22.529 [29271] dbg: rules: ran eval rule __Z_HAS_ATTCHMNT ==> got hit (1) [...] There is only one hit. Actually there never is more than one hit on any of the 20k emails I have tested it on, so I don't think the problem is with my sample. I have seen headers being used as such 72_active.cf:header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm 72_active.cf-tflags __HDRS_LCASE multiple maxhits=3 but no mimeheader. I was wondering if mimeheader is designed to work with tflags multiple maxhits or did I overlook something? If it is not designed to work with it, would there be any workarounds to detect multiple attachments? -- Olivier Coutu Assistance technique Technical Support T : 514-527-3232 x 2 n...@zerospam.ca
