On Tue, Apr 11, 2023 at 11:49:39AM +0200, giovanni--- via MIMEDefang wrote: > On 4/10/23 11:32, Florian Lohoff via MIMEDefang wrote: > > > > Hi, > > i'd like to drop/replace HTML attachments/mails which contain active > > components like javascript/javascript external refs. > > > > > > <script language="javascript></script> > > > > or > > > > <html><head> > > <script type="text/javascript" src="http://a.b.c.d";></script> > > </head></html> > > > > Basically going through all text/html etc parts. I am unshure whether > > i'd need to really decode HTML with HTML::Parse or the like to find it > > or if simple "regex" matching would be sufficient. Currently i am > > dropping this by spamassassin with custom filters using regex. > > > > Has anyone an example for this or experience which HTML perl module > > is the most stable? > > > it can be done using HTML::Parser, and then running > Mail::MIMEDefang::Actions:action_rebuild(). > In some cases it can be tricky because html attachments could be base64 > encoded.
Yeah - A customer of mine got bitten by this (Cleaning up the ransomeware rubble for 3 weeks now. Massive base64 javascript encoded chunk. Chrome 110 sandbox escape.) I rather block the mail or drop the whole attachment/mimepart if any signs of "javascript" From my quick analysis javascript in mails is pretty rare and in 99% of the cases spam/ad stuff. I right now have a simple custom rule in spamassassin scoring the above very high as spam and rejecting it. But for my taste thats tooo simple. I'd rather walk through all individual MIME parts. Flo -- Florian Lohoff [email protected] Any sufficiently advanced technology is indistinguishable from magic.
signature.asc
Description: PGP signature
_______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. MIMEDefang mailing list [email protected] https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org
