Re: [SPAM] Re: False positive in rule: FUZZY_XPILL
On Tue, 9 Sep 2014, Marcin Mirosław wrote: W dniu 09.09.2014 o 15:19, John Hardin pisze: On Tue, 9 Sep 2014, Marcin Mirosław wrote: Hi again, I noticed FP on mentioned rule when checking ham email. Due to confidential content I don't want to share it on ML. Is somebody willing to improve mentioned rule or one case is not enough to look at it? If somebody would like to look insight it I can send such email offlist. I'll take a look. Hi! Thank you. FUZZY_PILL has high score so it would be great to lower chance of FP. Attached email is has partially, manually removed pdf attachment. I hope I didn't break mime parts too much. Attached email still triggers FUZZY_XPILL. Regards, Marcin Is that email supposed to have an image attached to it? I note one of the MIME parts has this: Content-Type: text/plain; name="mpanic.png" The content-type is wrong for a binary data attachment. That attachment also doesn't appear to be a valid .PNG image file. Are you actually able to view that as an image? The FUZZY_XPILL hit is on what appears to be binary data in the message body, likely due to that attachment being interpreted as body text due to the MIME type. I can find what appears to be the matched string within the mpanic.png file, but not anywhere in the actual text part of the message. I think that you should contact whoever sent that message and have them review how they are generating it. I'm reluctant to call this SA's fault for trusting the MIME content type. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Phobias should not be the basis for laws. --- 8 days until the 227th anniversary of the signing of the U.S. Constitution
Re: [SPAM] Re: False positive in rule: FUZZY_XPILL
W dniu 10.09.2014 o 06:57, John Hardin pisze: > On Tue, 9 Sep 2014, Marcin Mirosław wrote: > >> W dniu 09.09.2014 o 15:19, John Hardin pisze: >>> On Tue, 9 Sep 2014, Marcin Mirosław wrote: >>> Hi again, I noticed FP on mentioned rule when checking ham email. Due to confidential content I don't want to share it on ML. Is somebody willing to improve mentioned rule or one case is not enough to look at it? If somebody would like to look insight it I can send such email offlist. >>> >>> I'll take a look. >> >> Hi! >> Thank you. FUZZY_PILL has high score so it would be great to lower >> chance of FP. >> Attached email is has partially, manually removed pdf attachment. I hope >> I didn't break mime parts too much. Attached email still triggers >> FUZZY_XPILL. >> Regards, >> Marcin Hi! I'm sorry for huge delay in answer. > Is that email supposed to have an image attached to it? I note one of > the MIME parts has this: > >Content-Type: text/plain; name="mpanic.png" > > The content-type is wrong for a binary data attachment. > > That attachment also doesn't appear to be a valid .PNG image file. Are > you actually able to view that as an image? $ file mpanic.png mpanic.png: PNG image data, 684 x 750, 8-bit/color RGBA, non-interlaced Okular doesn't have problem with this image, thunderbird also displays it in message. > The FUZZY_XPILL hit is on what appears to be binary data in the message > body, likely due to that attachment being interpreted as body text due > to the MIME type. I can find what appears to be the matched string > within the mpanic.png file, but not anywhere in the actual text part of > the message. > > I think that you should contact whoever sent that message and have them > review how they are generating it. I'm reluctant to call this SA's fault > for trusting the MIME content type. I'll try to contact but this is automated generated email with invoice. I'm expecting that their can't modify buyed soft. Thanks, Marcin
Re: [SPAM] Re: False positive in rule: FUZZY_XPILL
On Mon, 29 Sep 2014, Marcin Mirosław wrote: W dniu 10.09.2014 o 06:57, John Hardin pisze: On Tue, 9 Sep 2014, Marcin Mirosław wrote: W dniu 09.09.2014 o 15:19, John Hardin pisze: On Tue, 9 Sep 2014, Marcin Mirosław wrote: Hi again, I noticed FP on mentioned rule when checking ham email. Due to confidential content I don't want to share it on ML. Is somebody willing to improve mentioned rule or one case is not enough to look at it? If somebody would like to look insight it I can send such email offlist. I'll take a look. Hi! Thank you. FUZZY_PILL has high score so it would be great to lower chance of FP. Attached email is has partially, manually removed pdf attachment. I hope I didn't break mime parts too much. Attached email still triggers FUZZY_XPILL. Regards, Marcin Hi! I'm sorry for huge delay in answer. No problem. Is that email supposed to have an image attached to it? I note one of the MIME parts has this: Content-Type: text/plain; name="mpanic.png" The content-type is wrong for a binary data attachment. That attachment also doesn't appear to be a valid .PNG image file. Are you actually able to view that as an image? $ file mpanic.png mpanic.png: PNG image data, 684 x 750, 8-bit/color RGBA, non-interlaced Okular doesn't have problem with this image, thunderbird also displays it in message. That's interesting. The tools on my linux dev box (including GIMP) claim that it's corrupted. That's why I asked. $ file mpanic.png mpanic.png: data $ od -c -t x1 mpanic.png | head -2 000 ? P N G \n 032 \n \0 \0 \0 \r I H D R \0 3f 50 4e 47 0a 1a 0a 00 00 00 0d 49 48 44 52 00 Does that match what you have? As for TB displaying it in the message: I guess they are looking at the attachment filename rather than the attachment MIME type. The FUZZY_XPILL hit is on what appears to be binary data in the message body, likely due to that attachment being interpreted as body text due to the MIME type. I can find what appears to be the matched string within the mpanic.png file, but not anywhere in the actual text part of the message. I think that you should contact whoever sent that message and have them review how they are generating it. I'm reluctant to call this SA's fault for trusting the MIME content type. I'll try to contact but this is automated generated email with invoice. I'm expecting that their can't modify buyed soft. Then the vendor needs a bug report filed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When people get used to preferential treatment, equal treatment seems like discrimination. -- Thomas Sowell --- 5 days until the 10th anniversary of SpaceshipOne winning the X-prize