| # SpamAssassin rules file: Image information tests |
| # |
| # Please don't modify this file as your changes will be overwritten with |
| # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. |
| # See 'perldoc Mail::SpamAssassin::Conf' for details. |
| # |
| # <@LICENSE> |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to you under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at: |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # </@LICENSE> |
| # |
| ########################################################################### |
| |
| ifplugin Mail::SpamAssassin::Plugin::ImageInfo |
| |
| ## # you can match by image name |
| ## body DC_IMAGE001_GIF eval:image_named('image001.gif') |
| ## describe DC_IMAGE001_GIF Contains image named image001.gif |
| |
| ## # you can do exact image size matches |
| ## body DC_GIF_264_127 eval:image_size_exact('gif','264','127') |
| ## describe DC_GIF_264_127 Found 264x127 pixel gif, possible pillz |
| |
| # you can do image to text, or image to html ratios |
| rawbody __DC_IMG_HTML_RATIO eval:image_to_text_ratio('all', '0.000', '0.015') |
| describe __DC_IMG_HTML_RATIO Low rawbody to pixel area ratio |
| |
| body __DC_IMG_TEXT_RATIO eval:image_to_text_ratio('all', '0.000', '0.008') |
| describe __DC_IMG_TEXT_RATIO Low body to pixel area ratio |
| |
| # body DC_GIF_TEXT_RATIO eval:image_to_text_ratio('gif',0.000, 0.008) |
| # describe DC_GIF_TEXT_RATIO Low body to GIF pixel area ratio |
| |
| # rawbody DC_GIF_HTML_RATIO eval:image_to_text_ratio('gif',0.000, 0.008) |
| # describe DC_GIF_HTML_RATIO Low rawbody to GIF pixel area ratio |
| |
| # using exact size match to identify things like screenshots |
| # body __SCREEN_640x480 eval:image_size_exact('all',800,600) |
| # body __SCREEN_800x600 eval:image_size_exact('all',800,600) |
| # body __SCREEN_1024x768 eval:image_size_exact('all',1024,768) |
| # body __SCREEN_1280x1024 eval:image_size_exact('all',1280,1024) |
| # meta DC_SCREENSHOT_JPG ( __SCREEN_640x480 || __SCREEN_800x600 || __SCREEN_1024x768 || __SCREEN_1280x1024 ) |
| # describe DC_SCREENSHOT_JPG Contains image matching common screen resolution |
| # score DC_SCREENSHOT_JPG -0.01 |
| |
| # you can do minimum demension matches |
| # body DC_GIF_300 eval:image_size_range('gif',300,300) |
| # describe DC_GIF_300 Contains a 300x300 pixels gif or larger |
| # score DC_GIF_300 0.01 |
| |
| # you can do ranged demension matches |
| # body DC_JPEG_200_300 eval:image_size_range('gif', 200, 300, 250, 350) |
| # describe DC_JPEG_200_300 Contains jpeg 200-250 (high) x 300-350 (wide) |
| # score DC_JPEG_200_300 0.01 |
| |
| # you can count the number of images (all or by image type) |
| body __GIF_ATTACH_1 eval:image_count('gif','1','1') |
| body __GIF_ATTACH_2P eval:image_count('gif','2') |
| |
| body __PNG_ATTACH_1 eval:image_count('png','1','1') |
| body __PNG_ATTACH_2P eval:image_count('png','2') |
| |
| body __JPEG_ATTACH_1 eval:image_count('jpeg',1,1) |
| body __JPEG_ATTACH_2P eval:image_count('jpeg',2) |
| |
| # you can determine pixel coverage (all or by image type) |
| body __GIF_AREA_180K eval:pixel_coverage('gif','180000','475000') |
| body __PNG_AREA_180K eval:pixel_coverage('png','180000','475000') |
| # body __JPEG_AREA_180K eval:pixel_coverage('jpeg',180000,475000) |
| |
| # meta together something useful |
| meta DC_GIF_UNO_LARGO ( __GIF_ATTACH_1 && __GIF_AREA_180K ) |
| describe DC_GIF_UNO_LARGO Message contains a single large gif image |
| |
| meta __DC_GIF_MULTI_LARGO ( __GIF_ATTACH_2P && __GIF_AREA_180K ) |
| describe __DC_GIF_MULTI_LARGO Message has 2+ inline gif covering lots of area |
| |
| meta DC_PNG_UNO_LARGO ( __PNG_ATTACH_1 && __PNG_AREA_180K ) |
| describe DC_PNG_UNO_LARGO Message contains a single large png image |
| |
| meta __DC_PNG_MULTI_LARGO ( __PNG_ATTACH_2P && __PNG_AREA_180K ) |
| describe __DC_PNG_MULTI_LARGO Message has 2+ png images covering lots of area |
| |
| # meta DC_JPEG_UNO_LARGO ( __JPEG_ATTACH_1 && __JPEG_AREA_180K ) |
| # describe DC_JPEG_UNO_LARGO Message hash single large jpeg image |
| |
| # meta DC_JPEG_MULTI_LARGO ( __JPEG_ATTACH_2P && __JPEG_AREA_180K ) |
| # describe DC_JPEG_MULTI_LARGO Message has 2+ jpeg images covering lots of area |
| |
| meta DC_IMAGE_SPAM_TEXT ( !__HAS_URI && __DC_IMG_TEXT_RATIO && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO )) |
| describe DC_IMAGE_SPAM_TEXT Possible Image-only spam with little text |
| |
| # meta the stock rules together for HTML_IMAGE_ONLY_* |
| meta __HTML_IMG_ONLY ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 ) |
| |
| meta DC_IMAGE_SPAM_HTML (!__HAS_URI && ( __HTML_IMG_ONLY || __DC_IMG_HTML_RATIO ) && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO )) |
| describe DC_IMAGE_SPAM_HTML Possible Image-only spam |
| |
| endif |