On Tue, 2 Jun 2009, Yet Another Ninja wrote:
On 6/2/2009 7:55 PM, John Hardin wrote:
Oh, sorry, I got that backwards checking for _not_ PHP... Never mind
those last rules.
The mailer is going to be easy to change (even randomly) in a spam tool.
I'd suggest that it's not valid to check that for this test,
Could be but all the hits I saw with the .png and .rtf files had the PHP
X-mailer in them.
Perhaps this, then?
header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w/i
header __XM_PHP X-Mailer =~ /^PHP\s?v?\/?\d\./
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
score MIME_NO_TEXT 1.00
describe MIME_NO_TEXT No text body parts
meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __XM_PHP)
score MIME_PHP_NO_TEXT 2.00
describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
endif
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Of the twenty-two civilizations that have appeared in history,
nineteen of them collapsed when they reached the moral state the
United States is in now. -- Arnold Toynbee
-----------------------------------------------------------------------
4 days until the 65th anniversary of D-Day
