W dniu 10.09.2014 o 06:57, John Hardin pisze: > On Tue, 9 Sep 2014, Marcin Mirosław wrote: > >> W dniu 09.09.2014 o 15:19, John Hardin pisze: >>> On Tue, 9 Sep 2014, Marcin Mirosław wrote: >>> >>>> Hi again, >>>> I noticed FP on mentioned rule when checking ham email. Due to >>>> confidential content I don't want to share it on ML. Is somebody >>>> willing >>>> to improve mentioned rule or one case is not enough to look at it? If >>>> somebody would like to look insight it I can send such email offlist. >>> >>> I'll take a look. >> >> Hi! >> Thank you. FUZZY_PILL has high score so it would be great to lower >> chance of FP. >> Attached email is has partially, manually removed pdf attachment. I hope >> I didn't break mime parts too much. Attached email still triggers >> FUZZY_XPILL. >> Regards, >> Marcin
Hi! I'm sorry for huge delay in answer. > Is that email supposed to have an image attached to it? I note one of > the MIME parts has this: > > Content-Type: text/plain; name="mpanic.png" > > The content-type is wrong for a binary data attachment. > > That attachment also doesn't appear to be a valid .PNG image file. Are > you actually able to view that as an image? $ file mpanic.png mpanic.png: PNG image data, 684 x 750, 8-bit/color RGBA, non-interlaced Okular doesn't have problem with this image, thunderbird also displays it in message. > The FUZZY_XPILL hit is on what appears to be binary data in the message > body, likely due to that attachment being interpreted as body text due > to the MIME type. I can find what appears to be the matched string > within the mpanic.png file, but not anywhere in the actual text part of > the message. > > I think that you should contact whoever sent that message and have them > review how they are generating it. I'm reluctant to call this SA's fault > for trusting the MIME content type. I'll try to contact but this is automated generated email with invoice. I'm expecting that their can't modify buyed soft. Thanks, Marcin
