Re: Finding URLs in html attachments

[John Hardin]

On Tue, 2 Mar 2010, Chip M. wrote:

Since these started, they've had 19 of these phish:
 1 "Bank of America"<supp...@boa.com>
 1 "PayPaI"<upd...@paypai.com>
 1 "Paypal Inc."<cust_s...@paypalsecurity.com>
 1 "serv...@irs.gov"<serv...@irs.gov>
 1 "serv...@paypal.com"<c>
 1 "serv...@paypal.com"<secur...@act.embarqservices.net>
 3 "serv...@paypal.com"<Security>
 1 "U.S. Bancorp"<off...@usb.com>
 1 "Wachovia"<supp...@wachovia.com>
 1 "Wells Fargo Online"<ofsreponline.al...@wellsfargo.com>
 1 Bank of America <memberserv...@bofa.com>
 2 Bank of America <serv...@boa.com>
 1 Bank of America<memberserv...@boa.com>
 1 Internal Revenue Service<service.refun...@irss.com>
 1 Western Union<memberserv...@poste.it>
 1 Western Union<memberserv...@wumts.com>
In that same sample, I found only 3 hams with base64
application/octet-stream html attachments.

I've had all the component rules in my sandbox for a while, but I just 
added one that combines the above two signs. Would you be willing to test 
this and see how well it does in practice? Scores are appropriate for 
experimental rules, rescore as you see fit, comments solicited.

I don't know why the OBFU_*_ATTACH rules aren't showing up in ruleqa, I've 
had them in my sandbox for _months_...


ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   OBFU_HTML_ATTACH    Content-Type =~ 
m,application/octet-stream;.+\.html?\b,i
  describe     OBFU_HTML_ATTACH    HTML attachment with non-text MIME type

  mimeheader   OBFU_TEXT_ATTACH    Content-Type =~ 
m,application/octet-stream;.+\.txt\b,i
  describe     OBFU_TEXT_ATTACH    Text attachment with non-text MIME type

  mimeheader   OBFU_DOC_ATTACH     Content-Type =~ 
m,application/octet-stream;.+\.(?:doc|rtf)\b,i
  describe     OBFU_DOC_ATTACH     MS Document attachment with generic MIME type
  score        OBFU_DOC_ATTACH     0.25

  mimeheader   OBFU_PDF_ATTACH     Content-Type =~ 
m,application/octet-stream;.+\.pdf\b,i
  describe     OBFU_PDF_ATTACH     PDF attachment with generic MIME type
  score        OBFU_PDF_ATTACH     0.25

  meta         OBFU_ATTACH_MISSP   FROM_MISSPACED && (OBFU_HTML_ATTACH || 
OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH)
  describe     OBFU_ATTACH_MISSP   Obfuscated attachment type and misspaced From
endif


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Taking my gun away because I *might* shoot someone is like cutting
  my tongue out because I *might* yell "Fire!" in a crowded theater.
                                                  -- Peter Venetoklis
-----------------------------------------------------------------------
 12 days until Albert Einstein's 131st Birthday