On Tue, 9 Feb 2021, Kenneth Porter wrote:
I'm reminded of the recent post suggesting that SA parse QR codes to feed
URLs to block lists.
The email includes a web document pretending to be an Excel document (double
extension .xlsx.hTML) that contains a JavaScript Morse decoder and a string
with the URLs encoded in Morse.
I see two ways to block this: 1) MUAs should ignore code in HTML. 2) A
malware scanner like ClamAV should watch for this kind of stuff.
You're missing the simplest one: double extensions like that are hostile
and should be rejected.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Sheep have only two speeds: graze and stampede. -- LTC Grossman
-----------------------------------------------------------------------
3 days until Abraham Lincoln's and Charles Darwin's 212th Birthdays