# Version: 0.7
# Requires: ImageInfo.pm plugin

ifplugin Mail::SpamAssassin::Plugin::ImageInfo

# you can match by image name
body		DC_IMAGE001_GIF		eval:image_named('image001.gif')
describe	DC_IMAGE001_GIF		Contains image named image001.gif
score		DC_IMAGE001_GIF		0.50

# you can do exact image size matches 
body	 	DC_GIF_264_127  	eval:image_size_exact('gif',264,127)
describe 	DC_GIF_264_127  	Found 264x127 pixel gif, possible pillz
score    	DC_GIF_264_127  	0.50

# you can do image to text, or image to html ratios 
rawbody		DC_IMG_HTML_RATIO	eval:image_to_text_ratio('all',0.000, 0.015)
describe	DC_IMG_HTML_RATIO	Low rawbody to pixel area ratio
score		DC_IMG_HTML_RATIO	1.0

body		DC_IMG_TEXT_RATIO	eval:image_to_text_ratio('all',0.000, 0.008)
describe	DC_IMG_TEXT_RATIO	Low body to pixel area ratio
score		DC_IMG_TEXT_RATIO	1.0

# body		DC_GIF_TEXT_RATIO	eval:image_to_text_ratio('gif',0.000, 0.008)
# describe	DC_GIF_TEXT_RATIO	Low body to GIF pixel area ratio
# score		DC_GIF_TEXT_RATIO	0.01

# rawbody	DC_GIF_HTML_RATIO	eval:image_to_text_ratio('gif',0.000, 0.008)
# describe	DC_GIF_HTML_RATIO	Low rawbody to GIF pixel area ratio
# score		DC_GIF_HTML_RATIO	0.01

# using exact size match to identify things like screenshots
# body	 	__SCREEN_640x480  	eval:image_size_exact('all',640,480)
# body	 	__SCREEN_800x600 	eval:image_size_exact('all',800,600)
# body	 	__SCREEN_1024x768 	eval:image_size_exact('all',1024,768)
# body	 	__SCREEN_1280x1024  	eval:image_size_exact('all',1280,1024)
# meta		DC_SCREENSHOT_JPG	( __SCREEN_640x480 || __SCREEN_800x600 || __SCREEN_1024x768 || __SCREEN_1280x1024 )
# describe	DC_SCREENSHOT_JPG	Contains inline image matching common screen resolution
# score		DC_SCREENSHOT_JPG	-0.01

# you can do minimum demension matches
# body	 	DC_GIF_300		eval:image_size_range('gif',300,300)
# describe	DC_GIF_300		Contains a 300x300 pixels gif or larger
# score		DC_GIF_300		0.01

# you can do ranged demension matches
# body	 	DC_JPEG_200_300		eval:image_size_range('gif', 200, 300, 250, 350)
# describe	DC_JPEG_200_300		Contains jpeg 200-250 (high) x 300-350 (wide)
# score		DC_JPEG_200_300 	0.01

# you can count the number of images (all or by image type)
body	 	__GIF_ATTACH_1		eval:image_count('gif',1,1)
body  		__GIF_ATTACH_2P		eval:image_count('gif',2)

body		__PNG_ATTACH_1		eval:image_count('png',1,1)
body  	 	__PNG_ATTACH_2P		eval:image_count('png',2)

# body		__JPEG_ATTACH_1		eval:image_count('jpeg',1,1)
# body		__JPEG_ATTACH_2P	eval:image_count('jpeg',2)

# you can determine pixel coverage (all or by image type)
body		__GIF_AREA_180K		eval:pixel_coverage('gif',180000,475000)
body		__PNG_AREA_180K		eval:pixel_coverage('png',180000,475000)
# body		__JPEG_AREA_180K	eval:pixel_coverage('jpeg',180000,475000)

# meta together something useful
meta	 	DC_GIF_UNO_LARGO	( __GIF_ATTACH_1 && __GIF_AREA_180K )
describe 	DC_GIF_UNO_LARGO  	Message contains a single large inline gif
score	 	DC_GIF_UNO_LARGO	3.00

meta		DC_GIF_MULTI_LARGO 	( __GIF_ATTACH_2P && __GIF_AREA_180K )
describe	DC_GIF_MULTI_LARGO  	Message has 2+ inline gif covering lots of area
score		DC_GIF_MULTI_LARGO 	4.00

meta	 	DC_PNG_UNO_LARGO	( __PNG_ATTACH_1 && __PNG_AREA_180K )
describe 	DC_PNG_UNO_LARGO	Message contains a single large inline gif
score	 	DC_PNG_UNO_LARGO	3.00

meta	 	DC_PNG_MULTI_LARGO 	( __PNG_ATTACH_2P && __PNG_AREA_180K )
describe	DC_PNG_MULTI_LARGO  	Message has 2+ inline png covering lots of area
score	 	DC_PNG_MULTI_LARGO 	4.00

# meta	 	DC_JPEG_UNO_LARGO 	( __JPEG_ATTACH_1 && __JPEG_AREA_180K )
# describe	DC_JPEG_UNO_LARGO  	Message hash single large inline jpeg
# score	 	DC_JPEG_UNO_LARGO 	3.00

# meta	 	DC_JPEG_MULTI_LARGO 	( __JPEG_ATTACH_2P && __JPEG_AREA_180K )
# describe	DC_JPEG_MULTI_LARGO  	Message has 2+ inline jpeg covering lots of area
# score	 	DC_JPEG_MULTI_LARGO 	4.00

meta		DC_IMAGE_SPAM_TEXT		( DC_IMG_TEXT_RATIO && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || DC_GIF_MULTI_LARGO || DC_PNG_MULTI_LARGO ))
describe	DC_IMAGE_SPAM_TEXT		Possible Image-only spam with little text
score		DC_IMAGE_SPAM_TEXT		2.00

# meta all the HTML_IMAGE_ONLY_* rules together
meta		__HTML_IMG_ONLY			( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 )

meta		DC_IMAGE_SPAM_HTML		( ( __HTML_IMG_ONLY  || DC_IMG_HTML_RATIO ) && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || DC_GIF_MULTI_LARGO || DC_PNG_MULTI_LARGO ))
describe	DC_IMAGE_SPAM_HTML		Possible Image-only spam
score		DC_IMAGE_SPAM_HTML		3.00

# double dot gifs (from Kevin)
body		CG_DOUBLEDOT_GIF	eval:image_name_regex('/^\w{2,9}\.\.gif$/')
describe	CG_DOUBLEDOT_GIF	Double dotted image name
score		CG_DOUBLEDOT_GIF	1.4

# emails containing pictures from digital cameras (from Kevin)
# although i think most of these images will be >256kb (unless they 
# have been post-processed) so SA probably isnt scanning them.

# Nikon/Sony: DSC00001.JPG
body		CG_SONY_JPG	eval:image_name_regex('/^DSC\d{5}\.JPG$/')
describe	CG_SONY_JPG	Looks like a Sony/Nikon digital camera shot
score		CG_SONY_JPG	-0.1

# Fuji: DSCF0001.JPG
body		CG_FUJI_JPG	eval:image_name_regex('/^DSCF\d{4}\.JPG$/')
describe	CG_FUJI_JPG	Looks like a Fuji digital camera shot
score		CG_FUJI_JPG	-0.1

# Canon: BODY0001.JPG 
body		CG_CANON_JPG	eval:image_name_regex('/^\w{4}\d{4}\.JPG$/')
describe	CG_CANON_JPG	Canon's semi random image names
score		CG_CANON_JPG	-0.1

endif