[Mimedefang] [External] Re: HTML Mail / Active content filter

Kevin A. McGrail kmcgrail at pccc.com
Tue Apr 11 08:04:02 EDT 2023

On 4/11/2023 7:34 AM, Florian Lohoff wrote:
> On Tue, Apr 11, 2023 at 06:53:48AM -0400, Kevin A. McGrail via MIMEDefang wrote:
>> There are a LOT of obuscation techniques but there are also real (but very
>> stupid) banks that do things like email html files for instructions to their
>> clients and things.
>> Do you have a sample of the file with the bad HTML and I can see if there
>> are SA rules that hit it too?
> Normal Spamassassin did not match anything significant - I added these as custom
> rules:

I would suggest you look at the KAM Ruleset from https://mcgrail.com and 
look at the rules based on the MIMEHeader plugin where you could trigger 
on html files being attached,

> HTML attachment part of the mail started like this. Then it had an image
> as base64 and a div with hundrets of base64 snipped which - when merged - was
> a long javascript. So i guess they included jquery for its base64
> decoder and the other external script uri to jumpstart decoding and
> running the JS code.

Yeah, definitely using MIMEDefang (or mailmunge) to remove Javascript 
tags is a good idea if you don't want to outright block html file 


More information about the MIMEDefang mailing list