On Mon, 1 Mar 2010, David B Funk wrote:
Looks like he may have to use a 'full' test to look for the references to
paypal....
Been there, done that, doesn't work.
AFAIK SA ignores 'octet/binary' attachments for the rule engine. None of
the rules that I tried (uri, body, full, rawbody) "saw" anything that was
known to be in one of those attachments.
You may have to examine the 'raw' message and look for 'encoding' that
disguises the URI's in the attachment. Ths whole thing might be encoded as
base64 or something... A real mess to work with. You might have more
success making a rule that looks for mime headers that are type 'octet'
but named 'html'. You won't be able to score that too high on its own, but
it might combine well in a meta rule with certain buzz phrases from the
text portions of the e-mail.
- C
