On 08/31/2016 08:56 PM, John Hardin wrote:
On Wed, 31 Aug 2016, Chip M. wrote:
** Mitigation:
The easiest way to catch these is with a simple body word match.
Here's the exact matches I am currently using (some of them are
recent additions, listed in date of addition order):
href="data:
href='data:
http://data:
data:text/html;base64
<IMG src="data:
hta:application
I'll see about getting those into the sandbox.
IMG src="data can FP a lot.
*** Do any of you HTML gurus have additional suggestions? :)
... a poison-pill rule for < script > tags in email HTML? (only
slightly toungue-in-cheek)
could hit a lot of cheapo CMS sourced "legit" bulk content.
and possibly my favourite headache: airline ticket confirmations.
