Thanks Kevin,

I did a similar rule to detect it but with higher score (3) since we are seeing 
a huge LinkedIn Phishing campaign using this technique, that on purpose or by 
mistake is evading most SA rules...
I agree that Thunderbird may be doing it wrong. Outlook seems to do it right.

>I would say Thunderbird is not parsing it correctly.  Looking to see if this 
>is a spam indicator.


>I ran some test cases with this rule:
>#Bad UTF--8 content type and transfer encoding

>header   __KAM_BAD_UTF8_1               Content-Type =~ /text\/html; 
>charset=\"utf-8\"/i
>header   __KAM_BAD_UTF8_2               Content-Transfer-Encoding =~ /base64/i
>meta    KAM_BAD_UTF8    (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 >= 2)
>score   KAM_BAD_UTF8    1.0
>describe KAM_BAD_UTF8   Bad Content Type and Transfer Encoding that attempts 
>to evade SA scanning
 >
 >
>So far not seeing any sign it's in the wild.  Have you?
-----
Pedro
   

Reply via email to