On Fri, 2010-05-28 at 13:05 -0400, Kaleb Hosie wrote:
> We've been having a problem with emails that are completely blank except for
> an attached .rtf file which is where the spam message is.
Err, do you *really* mean attached? If so, provide a sample.
Otherwise I guess you are actually talking about the recent-ish spam
that does not have anything but an RTF document MIME part. Those
typically score above 10 for me, so there might be something else
missing -- but here's a a nice little rule I use.
# No text part, only an RTF document. Yeah, sure...
header PAYLOAD_CTYPE_RTF Content-Type =~ /\bname=".+\.rtf"/i
describe PAYLOAD_CTYPE_RTF Payload is an RTF document, no text part
score PAYLOAD_CTYPE_RTF 4.0
DO NOTE, that this MIGHT NOT be safe in all environments. MUAs and their
users tend to always include some minimal text, but $service via mail
might not. In that case, it still is rather unlikely it sends an RTF doc
(TIFF for fax probably is common), but that decision is up to you.
Also, the score is rather high. But then again, it is my local rule, and
I don't even get RTF docs attached to legit mail, ever...
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
