On Mon, 1 Mar 2010, Charles Gregory wrote:
On Mon, 1 Mar 2010, David B Funk wrote:
> Looks like he may have to use a 'full' test to look for the references
> to
> paypal....
Been there, done that, doesn't work.
AFAIK SA ignores 'octet/binary' attachments for the rule engine. None of
the rules that I tried (uri, body, full, rawbody) "saw" anything that was
known to be in one of those attachments.
You may have to examine the 'raw' message and look for 'encoding' that
disguises the URI's in the attachment. Ths whole thing might be encoded
as base64 or something... A real mess to work with. You might have more
success making a rule that looks for mime headers that are type 'octet'
but named 'html'.
I already have some rules for that in my sandbox, but IIRC they aren't
scoring too well on ruleqa.
You won't be able to score that too high on its own,
but it might combine well in a meta rule with certain buzz phrases from
the text portions of the e-mail.
...or look into the TextExtract plugin as Benny suggested.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
13 days until Albert Einstein's 131st Birthday