I'm attempting to detect when a file has multiple attachments. For a
single attachment, this rule works pretty well
mimeheader __Z_HAS_ATTCHMNT Content-Disposition =~ /attachment/i
tflags __Z_HAS_ATTCHMNT multiple maxhits=3
The multiple maxhits does not appear to work though. Here is an example
email that has two attachements:
grep attachment myeml.eml
Content-Disposition: attachment; filename="foo.doc"
Content-Disposition: attachment; filename="bar.docx"
spamassassin -D 2>&1 < myeml.eml | grep ATTCH
oct 11 16:49:22.529 [29271] dbg: rules: ran eval rule __Z_HAS_ATTCHMNT ======>
got hit (1)
[...]
There is only one hit. Actually there never is more than one hit on any
of the 20k emails I have tested it on, so I don't think the problem is
with my sample.
I have seen headers being used as such
72_active.cf:header __HDRS_LCASE ALL =~
/\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
72_active.cf-tflags __HDRS_LCASE multiple maxhits=3
but no mimeheader. I was wondering if mimeheader is designed to work
with tflags multiple maxhits or did I overlook something? If it is not
designed to work with it, would there be any workarounds to detect
multiple attachments?
--
Olivier Coutu
Assistance technique
Technical Support
T : 514-527-3232 x 2
n...@zerospam.ca