You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Robert Boyl <ro...@gmail.com> on 2016/08/03 12:13:31 UTC

scan an HTML file, possible?

Hi, everyone

I have a very nice regex a friend passed me that catches those emails that
have an HTML attached with a redirect html command to some malefic website.

He has some tool in Exim that scans text in attachments. But I wanted to
use a spamassassin rule.

Is there some plugin/way in Spamassassin to scan text of an html attachment?

Thanks!
Rob

Re: scan an HTML file, possible?

Posted by Dave Funk <db...@engineering.uiowa.edu>.

On Wed, 3 Aug 2016, Robert Boyl wrote:

> Hi, everyone
> 
> I have a very nice regex a friend passed me that catches those emails that have an HTML attached with a redirect html command to
> some malefic website.
> 
> He has some tool in Exim that scans text in attachments. But I wanted to use a spamassassin rule.
> 
> Is there some plugin/way in Spamassassin to scan text of an html attachment?
>

You can write 'full' rules that will work with raw HTML in recognized html 
attachments. The problem is that SA has business logic that ignores 
non-textural attachments, and that can be fooled by mime-typing.

So if the attachment has a mime-type of "text/html" SA will scan it.
If it has a mime-type of "application/octet-stream" SA will ignore it but 
if the attachment has a filename ending in ".htm" most client programs 
will treat it as HTML and open it as such.

I once wrote a rule to detect such obfuscation but it had too many FPs.

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: scan an HTML file, possible?

Posted by Benny Pedersen <me...@junc.eu>.

On 2016-08-03 14:13, Robert Boyl wrote:

> I have a very nice regex a friend passed me that catches those emails
> that have an HTML attached with a redirect html command to some
> malefic website.

bravo

> He has some tool in Exim that scans text in attachments. But I wanted
> to use a spamassassin rule.

clamav ?

google foxhole 3dr party signature, tell clamav-milter to accept virus, 
and then in mta stage REJECT official virus, what is left is unofficiel 
sigs to be spam handled later

> Is there some plugin/way in Spamassassin to scan text of an html
> attachment?

yes clamav plugin, its just ram hungry, so take the clamav-milter way

in spamassassin then create rules based on clamav-milter headers

just remember to in mta stage reject virus