Jo Rhett wrote:
Chris Lear wrote:
* Jo Rhett wrote (16/08/07 07:41):
Since nobody is paying attention
Or they're asleep. Your messages were at 23:44 and 07:41 here.
, let me clarify. The current rule is wrong:
mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~
/^application\/octet-stream.*\.pdf/i
meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP &&
__TVD_MIME_ATT && !__TVD_BODY
This evaluates to exactly the same as this:
meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP &&
!__TVD_BODY
I believe that the original rule's intent was this:
meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT && !__TVD_BODY
I don't think you're right.
The rule looks like this to me:
meta TVD_PDF_FINGER01
__TVD_MIME_CT_MM # content-type is multi-part mixed
&& __TVD_MIME_ATT_TP # and has a text-plain part
&& __TVD_MIME_ATT # and has an attachment that is either
__TVD_MIME_ATT_AP # application/pdf
__TVD_MIME_ATT_AOPDF # or application/octet-stream.*.pdf
&& !__TVD_BODY # and has no non-whitespace text content
Your rule would seem to match anything with no non-whitespace text
content regardless of whether or not a pdf was attached.
I did a full analysis of why the rule is broken, line by line in the
message you replied to. But I'll do it again.
(dropping "__TVT_MIME_" for ease of typing)
ATT is a meta of ATT_AP *or* ATT_AOPDF.
But the PDF_FINGER01 requires ATT_TP as well as ATT. This means that
really it will only work if ATT_TP matches. If ATT_A0PDF matches then
it won't match.
No go back up and read the text I quoted at the top. Because if this is
the authors intent then you can shorten the rule, but I somehow don't
think so.
I read it. I think you got it wrong. The author's intent seems to accord
with my analysis.
I was looking into this very rule about 3 days ago, because of false
positives (client mailing out auto-generated pdfs which are being
rejected by messagelabs), and I found that spamassassin -D told me all
I needed to know about why some e-mail hit this rule and some didn't.
Perhaps. But maybe you have difficulty reading the line by line
analysis I posted below, hm? I have ~200 messages here that are 100%
spam that would match the fixed rule, which seems to be the authors intent.
As I say, I read it. It was clear from the start that you didn't
understand why the rule wasn't firing (and TVD, the rule author,
explained that). It also appeared to me that your rewrite of the rule
was the result of a misreading of the logic (or a misunderstanding of
multipart mime). I thought I could elucidate. I stand by my comments,
except that I misread your rewrite and thought it was looking only for
text/plain, whereas it's looking only for pdf mime parts. Theo has
explained it all now anyway, so there's no more to add.
But forgive me. I should have known better than to step in to a Jo Rhett
thread. I'll try not to do it again.
Chris
