Recipe set to match stock/pharma-gif-spam:
s = '[ ]' # a space and a tab
h = '[0-9A-Fa-f]'
h2 = "$h$h" h3 = "$h2$h"
h4 = "$h2$h2" h6 = "$h4$h2"
h8 = "$h4$h4" h12 = "$h8$h4"
:0
* ^^(From |Return-Path: <)[^ @]+(_at_)\/[^ >]+
{ DOMAIN = $MATCH }
:0
* 1^1 ^Received:
{ } N_RCVD = $=
:0
*$ ^Content-Type: multipart/related;.*\
boundary=(\")?\/[^\"]+
{ H_CTB = $MATCH }
:0
* ^Message-ID:.*\/[^ <@]+(_at_)[^>]+
{ H_MID = $MATCH
:0
* H_MID ?? ^^\/[^(_at_)]+
{ MID1 = $MATCH }
:0
* H_MID ?? @\/.+
{ MID2 = $MATCH }
}
:0
* N_RCVD ?? ^^(1|2)^^
*$ H_CTB ?? ^^----=_NextPart_000_${h4}_$h8\.$h8^^
* MID2 ?? ^^[^.]+^^
* ^MIME-Version: 1\.0\
^Content-Type:.*\
^X-Priority: 3\
^X-MSMail-Priority: Normal\
^X-Mailer: Microsoft Outlook Express 6(\.[0-9]+)+\
^X-MimeOLE: Produced By Microsoft MimeOLE V6(\.[0-9]+)+$
*$ B ?? ^--$\H_CTB\
^Content-Type: image/gif;\
^$s+name=\"[^\"]*\.gif\"\
(^Content-Transfer-Encoding: base64)?\
^Content-ID: <$h12[$]$h8[$]$h8(_at_)$MID2>$
.in.suspect.stock-gif/
:0
* N_RCVD ?? ^^(2|3)^^
*$ H_CTB ?? ^^$h+^^
*$ MID2 ?? $\DOMAIN^^
*$ ^From: [^\"<]+ <[^(_at_)]+@$\DOMAIN>$
*$ B ?? ^--$\H_CTB\
^Content-Type: image/gif;\
^$s+name=\"[^\"]+\.gif\"\
(^Content-Transfer-Encoding: base64)?\
^Content-ID: <$h+(_at_)$\DOMAIN>$
.in.suspect.pharma-gif/
Based on about 20 recent samples. These recipes can catch ham with an
attached gif too, so please report back here how you refined the
conditions to solve that.
--
Groet, Ruud
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail