Re: scan an HTML file, possible?

2016-08-03 Thread Dave Funk 

On Wed, 3 Aug 2016, Robert Boyl wrote:


Hi, everyone

I have a very nice regex a friend passed me that catches those emails that have 
an HTML attached with a redirect html command to
some malefic website.

He has some tool in Exim that scans text in attachments. But I wanted to use a 
spamassassin rule.

Is there some plugin/way in Spamassassin to scan text of an html attachment?



You can write 'full' rules that will work with raw HTML in recognized html 
attachments. The problem is that SA has business logic that ignores 
non-textural attachments, and that can be fooled by mime-typing.


So if the attachment has a mime-type of "text/html" SA will scan it.
If it has a mime-type of "application/octet-stream" SA will ignore it but 
if the attachment has a filename ending in ".htm" most client programs 
will treat it as HTML and open it as such.


I once wrote a rule to detect such obfuscation but it had too many FPs.

--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: scan an HTML file, possible?

2016-08-03 Thread Benny Pedersen 

On 2016-08-03 14:13, Robert Boyl wrote:


I have a very nice regex a friend passed me that catches those emails
that have an HTML attached with a redirect html command to some
malefic website.


bravo


He has some tool in Exim that scans text in attachments. But I wanted
to use a spamassassin rule.


clamav ?

google foxhole 3dr party signature, tell clamav-milter to accept virus, 
and then in mta stage REJECT official virus, what is left is unofficiel 
sigs to be spam handled later



Is there some plugin/way in Spamassassin to scan text of an html
attachment?


yes clamav plugin, its just ram hungry, so take the clamav-milter way

in spamassassin then create rules based on clamav-milter headers

just remember to in mta stage reject virus

scan an HTML file, possible?

2016-08-03 Thread Robert Boyl 
Hi, everyone

I have a very nice regex a friend passed me that catches those emails that
have an HTML attached with a redirect html command to some malefic website.

He has some tool in Exim that scans text in attachments. But I wanted to
use a spamassassin rule.

Is there some plugin/way in Spamassassin to scan text of an html attachment?

Thanks!
Rob