# <LICENSE>
#
# Free as in beer.  Free as in speech.  You get the picture...
#
# </LICENSE>
#
# File: pdfinfouserrules.cf
# Version: 0.1
# Created: 2007-07-19
# Modified: 2007-07-19
# Author: Andy Kinnard (AnonymousDog) andyk at slcpa dot biz
# Requires: PDFInfo.pm plugin
# License: None
# Description: This plugin/ruleset combination will help you alleviate the new
#              PDF based stock spam which began to appear mid-June, 2007.
#
# Changes:
#
#   0.1 - initial ruleset.
#

ifplugin Mail::SpamAssassin::Plugin::PDFInfo

# pdf_match_details()

body          GMD_PRODUCER_UNKNOWN        eval:pdf_match_details('producer','/^unknown$/')
describe      GMD_PRODUCER_UNKNOWN        Missing PDF meta data for producer
score         GMD_PRODUCER_UNKNOWN        1.0

body          GMD_CREATED_ZERO        eval:pdf_match_details('created','/^0$/')
describe      GMD_CREATED_ZERO        Missing PDF meta data for created date
score         GMD_CREATED_ZERO        1.0

# The next four should be just meta b/c they're very common in ham and uncorrupted pdfs.  The descriptions follow from the above two.
body          __GMD_CREATOR_UNKNOWN        eval:pdf_match_details('creator','/^unknown$/')
body          __GMD_TITLE_UNTITLED        eval:pdf_match_details('title','/^untitled$/')
body          __GMD_MODIFIED_ZERO        eval:pdf_match_details('modified','/^0$/')
body          __GMD_AUTHOR_UNKNOWN        eval:pdf_match_details('author','/^unknown$/')
# End of four

body          GMD_PRODUCER_TEXT2PDF       eval:pdf_match_details('producer','/^text2pdf/')
describe      GMD_PRODUCER_TEXT2PDF       PDF meta data for producer begins with text2pdf
score         GMD_PRODUCER_TEXT2PDF       3.0

body          GMD_PRODUCER_IMAGEMAGICK       eval:pdf_match_details('producer','/^ImageMagick/')
describe      GMD_PRODUCER_IMAGEMAGICK       PDF meta data for producer begins with ImageMagick
score         GMD_PRODUCER_IMAGEMAGICK       0.001

body          GMD_PRODUCER_EASYPDF       eval:pdf_match_details('producer','/easyPDF/')
describe      GMD_PRODUCER_EASYPDF       PDF meta data for producer contains easyPDF
score         GMD_PRODUCER_EASYPDF       0.5

body          GMD_TITLE_STOCK     eval:pdf_match_details('title','/stock/')
describe      GMD_TITLE_STOCK     PDF meta data for title contains stock
score         GMD_TITLE_STOCK     2.0

# metas

meta         GMD_PDF_LIKELY_CORRUPT   ( GMD_PRODUCER_UNKNOWN && GMD_CREATED_ZERO )
describe     GMD_PDF_LIKELY_CORRUPT   Missing PDF meta data for producer and created date indicates probable PDF format corruption
score        GMD_PDF_LIKELY_CORRUPT   1.5

meta         GMD_MISSING_LESSER_DETAILS     ( __GMD_CREATOR_UNKNOWN && __GMD_TITLE_UNTITLED && __GMD_MODIFIED_ZERO && __GMD_AUTHOR_UNKNOWN )
describe     GMD_MISSING_LESSER_DETAILS     Missing PDF meta data for ALL lesser details: creator, title, modified date, and author
score        GMD_MISSING_LESSER_DETAILS     0.5

meta         __GMD_KNOWN_SPAM_PRODUCERS     ( GMD_PRODUCER_TEXT2PDF || GMD_PRODUCER_IMAGEMAGICK || GMD_PRODUCER_EASYPDF )
describe     __GMD_KNOWN_SPAM_PRODUCERS     PDF meta data for producer matches one of those deemed "known spam producer"

# This rule needs more titles to be effective
meta        __GMD_KNOWN_SPAM_TITLES     ( GMD_TITLE_STOCK )
describe    __GMD_KNOWN_SPAM_TITLES     PDF meta data for title matches one of those deemed "known spam titles"

# This rule won't be effective until __GMD_KNOWN_SPAM_TITLES is
meta        GMD_PRODUCER_AND_TITLE     ( __GMD_KNOWN_SPAM_PRODUCERS && __GMD_KNOWN_SPAM_TITLES )
describe    GMD_PRODUCER_AND_TITLE     PDF meta data for title AND producer match those deemed "known spam *"
score       GMD_PRODUCER_AND_TITLE     0.001

endif