>-----Original Message----- >From: Theo Van Dinter [mailto:[EMAIL PROTECTED] >Sent: Friday, September 10, 2004 2:30 PM >To: [EMAIL PROTECTED] >Subject: Re: Catching Windows executables as attachments > > >On Fri, Sep 10, 2004 at 03:48:17AM -0700, Loren Wilton wrote: >> > First, the body-mime headers aren't typically visible to >the user via MUA, >> > so they're not included in the data that the standard >rules run against. >> >> and yet they are considered one of the more important spam >indicators. Lack >> of normal visibility in an MUA is a poor justification for excluding >> information in the mail from a spam classifier. > >Nothing is excluded from "[the] spam classifier". It is, however, >excluded from body rules which are explicitly meant to be a rendered >version of the message, relatively close to what the user will see in >an MUA (visible vs invisible HTML, HTML "rendering" (mostly tag removal >but we process the tags internally to pull out information), b64/qp >decoding, etc). > >> You are assuming here that the only use for examining mime >headers are to >> classify virui and worms. While that is the origin of this >thread, I find > >Since the subject of this thread is "Catching Windows executables as >attachments", yes, that's what I was talking about. :) > >> Well, its trivial if your name is Theo or Justin or Daniel >and you work with >> SA code 10 hours a day every day. In that case you probably >know more Perl >[...] >> it, it is hardly a trivial undertaking to spend months >learning a language >> of surpassing crypticality, and then learn the undocumented >(or otherwise) >> innards of a major program, simply to be able to write a few >simple rules. > >You don't need to get all upity about it. I'm simply stating >that body mime >headers have no place in the standard body rules (body, >rawbody, and uri). >They're meant to check one thing, you want to check something >different. > >IMO, it would be pretty easy to get a new rule type as a plugin (if you >don't know the perl to do it, I'm sure if you asked politely >someone else >could code it up). Then you can easily write rules to look >for whatever >you want to look for. If looking at that information became >commonplace, >the rule type/code would likely get merged into SA-proper. >
If anyone could write a body-mime headers rule type code I would LOVE it!! I've been wanting to write rules for them for a long time. ESPECIALLY now. There seems to be more spams trying to use the attached gif method instead of URI's because of SURBL. I'd love to write some initial research rules and run them thru the SARE corpus. SO I'm asking anyone who knows how to do this, pretty please with sugar on top! Even if a patch and used for testing to see if it is worth it. --Chris
