# SpamAssassin rules file: Image information tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### ifplugin Mail::SpamAssassin::Plugin::ImageInfo ## # you can match by image name ## body DC_IMAGE001_GIF eval:image_named('image001.gif') ## describe DC_IMAGE001_GIF Contains image named image001.gif ## # you can do exact image size matches ## body DC_GIF_264_127 eval:image_size_exact('gif','264','127') ## describe DC_GIF_264_127 Found 264x127 pixel gif, possible pillz # you can do image to text, or image to html ratios rawbody __DC_IMG_HTML_RATIO eval:image_to_text_ratio('all', '0.000', '0.015') describe __DC_IMG_HTML_RATIO Low rawbody to pixel area ratio body __DC_IMG_TEXT_RATIO eval:image_to_text_ratio('all', '0.000', '0.008') describe __DC_IMG_TEXT_RATIO Low body to pixel area ratio # body DC_GIF_TEXT_RATIO eval:image_to_text_ratio('gif',0.000, 0.008) # describe DC_GIF_TEXT_RATIO Low body to GIF pixel area ratio # rawbody DC_GIF_HTML_RATIO eval:image_to_text_ratio('gif',0.000, 0.008) # describe DC_GIF_HTML_RATIO Low rawbody to GIF pixel area ratio # using exact size match to identify things like screenshots # body __SCREEN_640x480 eval:image_size_exact('all',800,600) # body __SCREEN_800x600 eval:image_size_exact('all',800,600) # body __SCREEN_1024x768 eval:image_size_exact('all',1024,768) # body __SCREEN_1280x1024 eval:image_size_exact('all',1280,1024) # meta DC_SCREENSHOT_JPG ( __SCREEN_640x480 || __SCREEN_800x600 || __SCREEN_1024x768 || __SCREEN_1280x1024 ) # describe DC_SCREENSHOT_JPG Contains image matching common screen resolution # score DC_SCREENSHOT_JPG -0.01 # you can do minimum demension matches # body DC_GIF_300 eval:image_size_range('gif',300,300) # describe DC_GIF_300 Contains a 300x300 pixels gif or larger # score DC_GIF_300 0.01 # you can do ranged demension matches # body DC_JPEG_200_300 eval:image_size_range('gif', 200, 300, 250, 350) # describe DC_JPEG_200_300 Contains jpeg 200-250 (high) x 300-350 (wide) # score DC_JPEG_200_300 0.01 # you can count the number of images (all or by image type) body __GIF_ATTACH_1 eval:image_count('gif','1','1') body __GIF_ATTACH_2P eval:image_count('gif','2') body __PNG_ATTACH_1 eval:image_count('png','1','1') body __PNG_ATTACH_2P eval:image_count('png','2') body __JPEG_ATTACH_1 eval:image_count('jpeg',1,1) body __JPEG_ATTACH_2P eval:image_count('jpeg',2) # you can determine pixel coverage (all or by image type) body __GIF_AREA_180K eval:pixel_coverage('gif','180000','475000') body __PNG_AREA_180K eval:pixel_coverage('png','180000','475000') # body __JPEG_AREA_180K eval:pixel_coverage('jpeg',180000,475000) # meta together something useful meta DC_GIF_UNO_LARGO ( __GIF_ATTACH_1 && __GIF_AREA_180K ) describe DC_GIF_UNO_LARGO Message contains a single large gif image meta __DC_GIF_MULTI_LARGO ( __GIF_ATTACH_2P && __GIF_AREA_180K ) describe __DC_GIF_MULTI_LARGO Message has 2+ inline gif covering lots of area meta DC_PNG_UNO_LARGO ( __PNG_ATTACH_1 && __PNG_AREA_180K ) describe DC_PNG_UNO_LARGO Message contains a single large png image meta __DC_PNG_MULTI_LARGO ( __PNG_ATTACH_2P && __PNG_AREA_180K ) describe __DC_PNG_MULTI_LARGO Message has 2+ png images covering lots of area # meta DC_JPEG_UNO_LARGO ( __JPEG_ATTACH_1 && __JPEG_AREA_180K ) # describe DC_JPEG_UNO_LARGO Message hash single large jpeg image # meta DC_JPEG_MULTI_LARGO ( __JPEG_ATTACH_2P && __JPEG_AREA_180K ) # describe DC_JPEG_MULTI_LARGO Message has 2+ jpeg images covering lots of area meta DC_IMAGE_SPAM_TEXT ( !__HAS_URI && __DC_IMG_TEXT_RATIO && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO )) describe DC_IMAGE_SPAM_TEXT Possible Image-only spam with little text # meta the stock rules together for HTML_IMAGE_ONLY_* meta __HTML_IMG_ONLY ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 ) meta DC_IMAGE_SPAM_HTML (!__HAS_URI && ( __HTML_IMG_ONLY || __DC_IMG_HTML_RATIO ) && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO )) describe DC_IMAGE_SPAM_HTML Possible Image-only spam endif