Re: Direct download phish
Hi, On Mon, Mar 19, 2018 at 11:08 PM, Pedro David Marco wrote: > Hi Alex, > > There is a plugin that may help in here... > > https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html > > so a rule like this as a first protoype may help: > > uri_detail FAKE_URL_FILE_TYPE text =~ /\.pdf\b/i cleaned > =~ /\.(zip|docx)\b/i Works a treat, thanks!
Re: Direct download phish
Hi Alex, There is a plugin that may help in here... https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html so a rule like this as a first protoype may help: uri_detail FAKE_URL_FILE_TYPE text =~ /\.pdf\b/i cleaned =~ /\.(zip|docx)\b/i Regards/Saludos, -PedroD
Direct download phish
Hi, I received an email that was tagged as spam for other reasons, but I'd like to write a rule that catches the attempt to present a ZIP as a PDF file. href="https://securesite.fdsit.net/uu/Propuesta-estrategia.zip"; rel="noopener noreferrer" target=_blank>Propuesta-estrategia.pdf How do I catch the variation in the URI description that differs from the URI itself? I've tried something like the following, but it's not right. uri _URI_ZIP_PDF m;https?://.{1,80}\.(zip|docx?).{0,40}\.pdf;i Full email here https://pastebin.com/NfSzv9Wa