On 4/11/2023 7:34 AM, Florian Lohoff wrote:
On Tue, Apr 11, 2023 at 06:53:48AM -0400, Kevin A. McGrail via MIMEDefang wrote:
There are a LOT of obuscation techniques but there are also real (but very
stupid) banks that do things like email html files for instructions to their
clients and things.
Do you have a sample of the file with the bad HTML and I can see if there
are SA rules that hit it too?
Normal Spamassassin did not match anything significant - I added these as custom
rules:
I would suggest you look at the KAM Ruleset from https://mcgrail.com and
look at the rules based on the MIMEHeader plugin where you could trigger
on html files being attached,
HTML attachment part of the mail started like this. Then it had an image
as base64 and a div with hundrets of base64 snipped which - when merged - was
a long javascript. So i guess they included jquery for its base64
decoder and the other external script uri to jumpstart decoding and
running the JS code.
Yeah, definitely using MIMEDefang (or mailmunge) to remove Javascript
tags is a good idea if you don't want to outright block html file
attachments.
Regards,
KAM
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
MIMEDefang mailing list [email protected]
https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org
