On Tue, 23 Oct 2012, Axb wrote:
On 10/23/2012 10:48 PM, John Hardin wrote:
On Tue, 23 Oct 2012, Kevin A. McGrail wrote:
> My thoughts were to ignore any binary attachments.
I don't think that's justified. I'm beginning to see a resurgence of
image spams that the OCR plugin would probably catch. Plus I fairly
regularly see 419 spams with the body of the pitch in a PDF or MS Word
document attachment.
SA never scanned binary attachements and the chunk method wouldn't change
that, just apply rules to content for which it was not designed for.
PDF/Word attachments need to be detected by checksum or other newer methods,
but definitely not by the existing rule methods.
You won't get anything useful with a raw/body rule or any other regex scanner
out of an encoded chunk of an attachment.
I'm not suggesting you would.
Stuff like PDFinfo, Imageinfo, etc are the kind of plugis required to do foo
against attachements.
That's my point. If we strip binary attachments, what would PDFinfo,
Imageinfo, FuzzyOCR et. al. have to work with?
Or am I misunderstanding and this stripping is occurring internally to SA
and affects what the RE rules scan? If so, I apologize, I was assuming the
context was spamc or something else client-side doing the strip/ignore and
SA never getting the attachments in the first place...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
One death is a tragedy; thirty is a media sensation;
a million is a statistic. -- Joseph Stalin, modernized
-----------------------------------------------------------------------
145 days since the first successful private support mission to ISS (SpaceX)
