[Mimedefang] [External] Re: HTML Mail / Active content filter
Kevin A. McGrail
kmcgrail at pccc.com
Tue Apr 11 08:04:02 EDT 2023
On 4/11/2023 7:34 AM, Florian Lohoff wrote:
> On Tue, Apr 11, 2023 at 06:53:48AM -0400, Kevin A. McGrail via MIMEDefang wrote:
>> There are a LOT of obuscation techniques but there are also real (but very
>> stupid) banks that do things like email html files for instructions to their
>> clients and things.
>>
>> Do you have a sample of the file with the bad HTML and I can see if there
>> are SA rules that hit it too?
> Normal Spamassassin did not match anything significant - I added these as custom
> rules:
I would suggest you look at the KAM Ruleset from https://mcgrail.com and
look at the rules based on the MIMEHeader plugin where you could trigger
on html files being attached,
> HTML attachment part of the mail started like this. Then it had an image
> as base64 and a div with hundrets of base64 snipped which - when merged - was
> a long javascript. So i guess they included jquery for its base64
> decoder and the other external script uri to jumpstart decoding and
> running the JS code.
Yeah, definitely using MIMEDefang (or mailmunge) to remove Javascript
tags is a good idea if you don't want to outright block html file
attachments.
Regards,
KAM
More information about the MIMEDefang
mailing list