Mailing List Archive: How do I check for a jpeg attachment?

On Mon, 3 Oct 2022, Loren Wilton wrote:

> I'm getting a bunch of spams from fake gmail accounts that consist of one
> short line of text and a 2 MB jpg file.
> The subject and body text are pretty much random beyond that.
>
> How do I check for the following?
>
> --000000000000e345f305ea2680cd
> Content-Type: image/jpeg; name="MMM.jpg"
> Content-Disposition: attachment; filename="MMM.jpg"
> Content-Transfer-Encoding: base64
> Content-ID: <f_l8t6clr50>
> X-Attachment-Id: f_l8t6clr50
>
> I want to match on /^Content-Type: image\/jpeg;/ but I can't figure out how
> to do that. rawbody doesn't seem to work.

Use the specific 'mimeheader' rule type:

mimeheader L_IMAGE3e Content-Type =~ m!image/jpe?g;!i
describe L_IMAGE3e Has JPG image attachment
score L_IMAGE3e 0.2

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{