如果附加了 iso 文件,SpamAssassin 不会检测规则

tag-icon tag-icon spamassassin
如果附加了 iso 文件,SpamAssassin 不会检测规则

最近我收到很多垃圾邮件,其中附有 DHL_Tracking.pdf.iso 文件。我检查了 local.cf 中保存的规则,没有问题。但我注意到 SpamAssassin 无法检测到某些电子邮件。我从 local.cf 中删除了所有规则并添加了一个基本的 rawbody 规则。

rawbody MIME_TEST /qwertyuasdfghjk/
describe MIME_TEST Test
score MIME_TEST 9

然后我从我的雅虎电子邮件帐户发送了测试电子邮件。在我的第一封电子邮件中,我只发送了文本,并在文本中添加了要搜索的单词 qwertyuasdfghjk。在我的第二封电子邮件中,我再次发送了相同的文本,但我包含了 SpamAssassin 无法检测到的 iso 文件。令人惊讶的是,尽管两封电子邮件的正文完全相同,但 SpamAssassin 并未将附有 iso 文件的电子邮件检测为垃圾邮件。

我的第一封电子邮件正文是;

MIME-Version: 1.0
Content-Type: multipart/alternative; 
    boundary="----=_Part_747683_1439360458.1633988723397"
References: <[email protected]>
X-Mailer: WebService/1.1.19116 YMailNorrin
Content-Length: 673
X-Spam-Score: 68
X-Spam-Bar: ++++++
X-Spam-Report: Spam detection software, running on the system "bifra.com.tr",
 has identified this incoming email as possible spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  qer qwertyuasdfghjk fdfr frefre qwertyuasdfghjkdwedew dew
   dew qer qwertyuasdfghjk fdfr frefre qwertyuasdfghjkdwedew dew dew 
 
 Content analysis details:   (6.8 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
                             provider (pcmgogo[at]yahoo.com)
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                             [74.6.132.124 listed in wl.mailspike.net]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  7.0 MIME_TEST              BODY: Test
  0.0 HTML_MESSAGE           BODY: HTML included in message
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
X-Spam-Status: Yes
X-Spam-Subject: [*SPAM=68*] Test posta 1
X-ACL-Warn: SpamAssassin detected spam (from ****[email protected] to t*****@b****.**m).
Subject: [*SPAM=68*] Test posta 1

------=_Part_747683_1439360458.1633988723397
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

qer qwertyuasdfghjk fdfr frefre qwertyuasdfghjkdwedew dew dew

------=_Part_747683_1439360458.1633988723397
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html><head></head><body><div class="yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div dir="ltr" data-setdir="false"><span>qer <span><span>qwertyuasdfghjk</span></span> fdfr frefre <span><span>qwertyuasdfghjk</span></span>dwedew dew dew</span><br></div></div></body></html>
------=_Part_747683_1439360458.1633988723397--

我的第二封电子邮件正文中附加了 iso 文件;

MIME-Version: 1.0
Content-Type: multipart/mixed; 
    boundary="----=_Part_890579_1702502143.1633988740660"
References: <[email protected]>
X-Mailer: WebService/1.1.19116 YMailNorrin
Content-Length: 1057995

------=_Part_890579_1702502143.1633988740660
Content-Type: multipart/alternative; 
    boundary="----=_Part_890578_767586642.1633988740652"

------=_Part_890578_767586642.1633988740652
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

qer qwertyuasdfghjk fdfr frefre qwertyuasdfghjkdwedew dew dew

------=_Part_890578_767586642.1633988740652
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html><head></head><body><div class="yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div dir="ltr" data-setdir="false"><span>qer <span><span>qwertyuasdfghjk</span></span> fdfr frefre <span><span>qwertyuasdfghjk</span></span>dwedew dew dew</span><br></div></div></body></html>
------=_Part_890578_767586642.1633988740652--

------=_Part_890579_1702502143.1633988740660
Content-Type: application/x-cd-image
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="=?UTF-8?b?REhMXzExOTA0MCBhbMSxxZ8gaXJzYWxpeWVzaSBiZWxnZXNpLHBkZi5pc28=?="
Content-ID: <[email protected]>

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
.........

两封电子邮件的正文相同,但为什么第二封电子邮件无法被检测为垃圾邮件?

答案1

https://arstechnica.com/civis/viewtopic.php?t=409557讨论了类似的问题。似乎附件不被视为正文的一部分,并且不会被此指令扫描。使用“raw”而不是“rawbody”似乎是答案。

相关内容