[Mimedefang] HTML Mail / Active content filter

Florian Lohoff f at zz.de
Tue Apr 11 07:34:01 EDT 2023

Hi Kevin,

On Tue, Apr 11, 2023 at 06:53:48AM -0400, Kevin A. McGrail via MIMEDefang wrote:
> There are a LOT of obuscation techniques but there are also real (but very
> stupid) banks that do things like email html files for instructions to their
> clients and things.
> Do you have a sample of the file with the bad HTML and I can see if there
> are SA rules that hit it too?

Normal Spamassassin did not match anything significant - I added these as custom

rawbody     ZZ_JS_MIME         /["']text\/javascript["']/i
describe    ZZ_JS_MIME         Javascript mimetype
score       ZZ_JS_MIME         4

rawbody     ZZ_JS_SCRIPT       /\<\s*script\s+.*src\s*=\s*["']\s*(https|http):/i
describe    ZZ_JS_SCRIPT       External javascript
score       ZZ_JS_SCRIPT       7.0 

rawbody     ZZ_JS_SCRIPT2      /javascript/i
describe    ZZ_JS_SCRIPT2      Only javascript string
score       ZZ_JS_SCRIPT2      0.1

HTML attachment part of the mail started like this. Then it had an image
as base64 and a div with hundrets of base64 snipped which - when merged - was
a long javascript. So i guess they included jquery for its base64
decoder and the other external script uri to jumpstart decoding and
running the JS code.

<html lang="en">
        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.3/jquery.min.js"></script>
        <script type="text/javascript" src=""></script>
        <style type="text/css">
[ ... ]
        <div id="table"><p>KGZ1bmN0aW9uIChtaWR...</p><p>eXBlY3RpbmlicmFuY2goZ3JheXd ...
[ ... ]

Florian Lohoff                                                     f at zz.de
  Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/d35d00aa/attachment-0001.sig>

More information about the MIMEDefang mailing list