[Mimedefang] SA - MIME attachments?
mdamrose at elgin.edu
Thu Oct 27 08:22:48 EDT 2005
From: Jon Fullmer
> body PORN_SPAM /(?:porn.com|porn-site.com|pr0n.com)/I
> describe PORN_SPAM Some jerk sending me porn spam
> score PORN_SPAM 10.0
> I've noticed that when I do this, though, if the e-mail is a multipart
> MIME message (with, say, one part "text/plain" and one part
> "text/html"), it won't find the string I'm having it search for.
You're using the wrong test.
body strips out all the HTML tags before doing a scan.
rawbody doesn't strip out the tags.
But what you really want is the uri test. It does all the work of
identifying uri/url for you and searches only in those.
More information about the MIMEDefang