> I guess what I'm wondering is that is SA not able/designed to recognize
> UUencoded attachments? If not, then I guess I should modify the
> chickenpox and backhair sets to use a meta rule so that it can only add
> so many points to a message.
SA by design ignores uuencoded attachments that aren't in a separate mime
part. I personally somewhat disagree with this philosophy, but the devs do
have a potential point that this could allow a fake uuencode to allow a
visible spam through, for some mail agents.
The unfortunate things is SA also doesn't provide to the rules any
indication that they are scanning over a uuencoded (or other encoded binary)
body part, so that they could modify their action.
I'd suggest the best path (in my opinion) at the moment would be to write a
negative scoring rule and maybe -1 or -2 points, certainly no more than -3,
that would trigger on a uue header, possibly followed by at least one or two
potentially valid lines of uuencoded data. This should drastically reduce
the fp's in this sort of thing, while still making it almost sure that a
spam "hidden" in bogus uue data will still be caught.
An expansion would be to set a meta tag if a uue header and potentially
valid data is detected, and then change MANY rules to use that as part of a
meta term for scoring, rather than scoring directly. This would be a whole
lot more work, but might be necessary at some point.
Loren
