On Thu, 12 Feb 2004, Damon McMahon wrote:
> Thanks for the suggestions. Having done some further troubleshooting I'm
> convinced that the full body regexp search either isn't being run or
> isn't working as I would expect.
>
> Any further clues? Where would I find more info about the full body search?
>
> Thanks...
Because of a feature of SA.
If you have a MIME component of "Content-type: application/octet-stream"
SA rips it out and discards it. EVERYTHING after that 'Content-type:'
declaration up until the end of that particular component/attachment
is discarded and not available for -any- types of matches,
Not "body" "rawbody" nor "full"
Look at the def of a 'body' rule in the spam.conf man page. It says:
The 'body' in this case is the textual parts of the message body;
any non-text MIME parts are stripped, and the message decoded from
Quoted-Printable or Base-64-encoded format if necessary.
As application/octet-stream is clearly a non-text part, it is stripped.
If you look at the MIME headers of one of those critters, the
"filename=" declaration that you're looking for is after the
"Content-type: application/octet-stream" and thus made of unobtanium. ;(
Hey Devs, is there any 'really-raw-full-body' type rules that will
let us look at -everthing- in a message? Or is that so far from SA's
intended usage realm that it's not even possible.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
> Thanks for the suggestions. Having done some further troubleshooting I'm
> convinced that the full body regexp search either isn't being run or
> isn't working as I would expect.
>
> Any further clues? Where would I find more info about the full body search?
>
> Thanks...
Because of a feature of SA.
If you have a MIME component of "Content-type: application/octet-stream"
SA rips it out and discards it. EVERYTHING after that 'Content-type:'
declaration up until the end of that particular component/attachment
is discarded and not available for -any- types of matches,
Not "body" "rawbody" nor "full"
Look at the def of a 'body' rule in the spam.conf man page. It says:
The 'body' in this case is the textual parts of the message body;
any non-text MIME parts are stripped, and the message decoded from
Quoted-Printable or Base-64-encoded format if necessary.
As application/octet-stream is clearly a non-text part, it is stripped.
If you look at the MIME headers of one of those critters, the
"filename=" declaration that you're looking for is after the
"Content-type: application/octet-stream" and thus made of unobtanium. ;(
Hey Devs, is there any 'really-raw-full-body' type rules that will
let us look at -everthing- in a message? Or is that so far from SA's
intended usage realm that it's not even possible.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{