Content-Type custom rule

[Danúbio Marinho]

Hello,

I identified in a header of a phishing message a image name pattern. Below follow an example:

Content-Type: image/jpeg;
name="1560469802890.jpg"

Are 13 numbers of 0 the 9. Then, i created a custom rule to add a score for theses messages. Bellow has an example:

header JPEG_CT Content-Type =~ /name\=\"\d{13}\.jpg\"/i
score JPEG_CT 5
describe JPEG_CT Blocks phishing messages requesting for ransom

But its not working

This rule is correct?

 

[fluxX04]

Hi,

the rule looks good. Did you restarted the pmg-smtp-filter?:

systemctl restart pmg-smtp-filter.service

Greetz

 

[Danúbio Marinho]

Hi,

the rule looks good. Did you restarted the pmg-smtp-filter?:

systemctl restart pmg-smtp-filter.service

Greetz

Hi,

Thank you for your reply.

And yes, i restarted the service. I'll monitoring the scores.

 

[Danúbio Marinho]

The rule is not working. The score doesn't appear in spam info.

I tried to implement using mime header. The new rule is below:

mimeheader JPEG_CT Content-Type =~ /name\=\"\d{13}\.jpg\"/i
describe JPEG_CT Blocks phishing messages requesting for ransom
score JPEG_CT 5.0

But also not working. I'm not sure how it works. The body of suspicious message is an image.

It is necessary enable some plugin for this rule to work?