[Mimedefang] HTML Mail / Active content filter

Florian Lohoff f at zz.de
Tue Apr 11 06:06:12 EDT 2023 

On Tue, Apr 11, 2023 at 11:49:39AM +0200, giovanni--- via MIMEDefang wrote:
> On 4/10/23 11:32, Florian Lohoff via MIMEDefang wrote:
> > 
> > Hi,
> > i'd like to drop/replace HTML attachments/mails which contain active
> > components like javascript/javascript external refs.
> > 
> > 
> > 	<script language="javascript></script>
> > 
> > or
> > 
> > 	<html><head>
> > 		<script type="text/javascript" src="http://a.b.c.d"></script>
> > 	</head></html>
> > 
> > Basically going through all text/html etc parts. I am unshure whether
> > i'd need to really decode HTML with HTML::Parse or the like to find it
> > or if simple "regex" matching would be sufficient. Currently i am
> > dropping this by spamassassin with custom filters using regex.
> > 
> > Has anyone an example for this or experience which HTML perl module
> > is the most stable?
> > 
> it can be done using HTML::Parser, and then running Mail::MIMEDefang::Actions:action_rebuild().
> In some cases it can be tricky because html attachments could be base64 encoded.

Yeah - A customer of mine got bitten by this (Cleaning up the
ransomeware rubble for 3 weeks now. Massive base64 javascript encoded
chunk. Chrome 110 sandbox escape.) I rather block the mail or drop the
whole attachment/mimepart if any signs of "javascript"

From my quick analysis javascript in mails is pretty rare and in 99% of
the cases spam/ad stuff. I right now have a simple custom rule in
spamassassin scoring the above very high as spam and rejecting it. But
for my taste thats tooo simple. I'd rather walk through all individual
MIME parts.

Flo
-- 
Florian Lohoff                                                     f at zz.de
  Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/d4db1d87/attachment.sig>

More information about the MIMEDefang mailing list