[ SEA-GHOST MINI SHELL]
# SpamAssassin rules file: Image information tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::ImageInfo
## # you can match by image name
## body DC_IMAGE001_GIF eval:image_named('image001.gif')
## describe DC_IMAGE001_GIF Contains image named image001.gif
## # you can do exact image size matches
## body DC_GIF_264_127 eval:image_size_exact('gif','264','127')
## describe DC_GIF_264_127 Found 264x127 pixel gif, possible pillz
# you can do image to text, or image to html ratios
rawbody __DC_IMG_HTML_RATIO eval:image_to_text_ratio('all', '0.000', '0.015')
describe __DC_IMG_HTML_RATIO Low rawbody to pixel area ratio
body __DC_IMG_TEXT_RATIO eval:image_to_text_ratio('all', '0.000', '0.008')
describe __DC_IMG_TEXT_RATIO Low body to pixel area ratio
# body DC_GIF_TEXT_RATIO eval:image_to_text_ratio('gif',0.000, 0.008)
# describe DC_GIF_TEXT_RATIO Low body to GIF pixel area ratio
# rawbody DC_GIF_HTML_RATIO eval:image_to_text_ratio('gif',0.000, 0.008)
# describe DC_GIF_HTML_RATIO Low rawbody to GIF pixel area ratio
# using exact size match to identify things like screenshots
# body __SCREEN_640x480 eval:image_size_exact('all',800,600)
# body __SCREEN_800x600 eval:image_size_exact('all',800,600)
# body __SCREEN_1024x768 eval:image_size_exact('all',1024,768)
# body __SCREEN_1280x1024 eval:image_size_exact('all',1280,1024)
# meta DC_SCREENSHOT_JPG ( __SCREEN_640x480 || __SCREEN_800x600 || __SCREEN_1024x768 || __SCREEN_1280x1024 )
# describe DC_SCREENSHOT_JPG Contains image matching common screen resolution
# score DC_SCREENSHOT_JPG -0.01
# you can do minimum demension matches
# body DC_GIF_300 eval:image_size_range('gif',300,300)
# describe DC_GIF_300 Contains a 300x300 pixels gif or larger
# score DC_GIF_300 0.01
# you can do ranged demension matches
# body DC_JPEG_200_300 eval:image_size_range('gif', 200, 300, 250, 350)
# describe DC_JPEG_200_300 Contains jpeg 200-250 (high) x 300-350 (wide)
# score DC_JPEG_200_300 0.01
# you can count the number of images (all or by image type)
body __GIF_ATTACH_1 eval:image_count('gif','1','1')
body __GIF_ATTACH_2P eval:image_count('gif','2')
body __PNG_ATTACH_1 eval:image_count('png','1','1')
body __PNG_ATTACH_2P eval:image_count('png','2')
body __JPEG_ATTACH_1 eval:image_count('jpeg',1,1)
body __JPEG_ATTACH_2P eval:image_count('jpeg',2)
# you can determine pixel coverage (all or by image type)
body __GIF_AREA_180K eval:pixel_coverage('gif','180000','475000')
body __PNG_AREA_180K eval:pixel_coverage('png','180000','475000')
# body __JPEG_AREA_180K eval:pixel_coverage('jpeg',180000,475000)
# meta together something useful
meta DC_GIF_UNO_LARGO ( __GIF_ATTACH_1 && __GIF_AREA_180K )
describe DC_GIF_UNO_LARGO Message contains a single large gif image
meta __DC_GIF_MULTI_LARGO ( __GIF_ATTACH_2P && __GIF_AREA_180K )
describe __DC_GIF_MULTI_LARGO Message has 2+ inline gif covering lots of area
meta DC_PNG_UNO_LARGO ( __PNG_ATTACH_1 && __PNG_AREA_180K )
describe DC_PNG_UNO_LARGO Message contains a single large png image
meta __DC_PNG_MULTI_LARGO ( __PNG_ATTACH_2P && __PNG_AREA_180K )
describe __DC_PNG_MULTI_LARGO Message has 2+ png images covering lots of area
# meta DC_JPEG_UNO_LARGO ( __JPEG_ATTACH_1 && __JPEG_AREA_180K )
# describe DC_JPEG_UNO_LARGO Message hash single large jpeg image
# meta DC_JPEG_MULTI_LARGO ( __JPEG_ATTACH_2P && __JPEG_AREA_180K )
# describe DC_JPEG_MULTI_LARGO Message has 2+ jpeg images covering lots of area
meta DC_IMAGE_SPAM_TEXT ( !__HAS_URI && __DC_IMG_TEXT_RATIO && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO ))
describe DC_IMAGE_SPAM_TEXT Possible Image-only spam with little text
# meta the stock rules together for HTML_IMAGE_ONLY_*
meta __HTML_IMG_ONLY ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 )
meta DC_IMAGE_SPAM_HTML (!__HAS_URI && ( __HTML_IMG_ONLY || __DC_IMG_HTML_RATIO ) && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO ))
describe DC_IMAGE_SPAM_HTML Possible Image-only spam
endif
SEA-GHOST - SHELL CODING BY SEA-GHOST