On Fri, 2010-05-28 at 13:05 -0400, Kaleb Hosie wrote: > We've been having a problem with emails that are completely blank except for > an attached .rtf file which is where the spam message is.
Err, do you *really* mean attached? If so, provide a sample. Otherwise I guess you are actually talking about the recent-ish spam that does not have anything but an RTF document MIME part. Those typically score above 10 for me, so there might be something else missing -- but here's a a nice little rule I use. # No text part, only an RTF document. Yeah, sure... header PAYLOAD_CTYPE_RTF Content-Type =~ /\bname=".+\.rtf"/i describe PAYLOAD_CTYPE_RTF Payload is an RTF document, no text part score PAYLOAD_CTYPE_RTF 4.0 DO NOTE, that this MIGHT NOT be safe in all environments. MUAs and their users tend to always include some minimal text, but $service via mail might not. In that case, it still is rather unlikely it sends an RTF doc (TIFF for fax probably is common), but that decision is up to you. Also, the score is rather high. But then again, it is my local rule, and I don't even get RTF docs attached to legit mail, ever... guenther -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}