On Wed, 3 Aug 2016, Robert Boyl wrote:
Hi, everyone
I have a very nice regex a friend passed me that catches those emails that have
an HTML attached with a redirect html command to
some malefic website.
He has some tool in Exim that scans text in attachments. But I wanted to use a
spamassassin rule.
Is there some plugin/way in Spamassassin to scan text of an html attachment?
You can write 'full' rules that will work with raw HTML in recognized html
attachments. The problem is that SA has business logic that ignores
non-textural attachments, and that can be fooled by mime-typing.
So if the attachment has a mime-type of "text/html" SA will scan it.
If it has a mime-type of "application/octet-stream" SA will ignore it but
if the attachment has a filename ending in ".htm" most client programs
will treat it as HTML and open it as such.
I once wrote a rule to detect such obfuscation but it had too many FPs.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
