We're seeing a lot of what I assume are exploit files coming from yahoo.com.
They are all base64 encoded HTML attachments with a bunch of javascript in them. http://pastebin.com/ZSmW0kwW I've gone ahead and put a pretty high scoring rule in place to block things that are: 1) From yahoo.com 2) Have a HTML attachment 3) Are base64 encoded My question is how important is #1. I'd think a HTML attachment is a little unusual period but how common would it be that there was one and it was base64 encoded? I'm considering just another lower scoring rule for #2 and #3 because I have seen them from places other than yahoo.com Chris -- ------------------------------------------------------------------------- Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 - A stupidity tax Hubris Communications Inc www.hubris.net -------------------------------------------------------------------------