You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Matija Nalis <mn...@voyager.hr> on 2022/09/02 06:11:53 UTC

KAM_OCTET_PHISH=3 ?

Some of legitimate mails here are being hit with rather high KAM_OCTET_PHISH=3

it seems to trigger when I have both text/html and application/octet-stream
MIME parts.

reduced/sanitized example at: https://pastebin.com/D4vqKnLC

It seems to be multi-rule meta, but all those sub-rules seem to check
for mostly the same two things to my untrained eye:

mimeheader      T_OBFU_HTML_ATTACH      Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i
mimeheader      __KAM_VM5               Content-Type =~ /.s?html?\.?\"?($|;)/i
mimeheader      __KAM_OCTET_PHISH1      Content-Type =~ /application\/octet-stream/i

meta            KAM_OCTET_PHISH         ( __KAM_OCTET_PHISH1 + ( __KAM_VM5 + T_OBFU_HTML_ATTACH >= 1) >= 2 )
describe        KAM_OCTET_PHISH         HTML File with the wrong MIME Type
score           KAM_OCTET_PHISH         3.0

That is on Debian Bullseye spamassassin 3.4.6-1 (with extra KAM rulesets).

Can someone shed a light what is happening here, and is it supposed
to be happening?

-- 
Opinions above are GNU-copylefted.

Re: KAM_OCTET_PHISH=3 ?

Posted by "Kevin A. McGrail" <km...@apache.org>.

Thanks.  I responded off-list to you and  Questions about the KAM 
ruleset are best submitted at 
https://raptor.pccc.com/raptor.cgim?template=report_problem

Regards,

KAM

On 9/2/2022 2:11 AM, Matija Nalis wrote:
> Some of legitimate mails here are being hit with rather high KAM_OCTET_PHISH=3
>
> it seems to trigger when I have both text/html and application/octet-stream
> MIME parts.
>
> reduced/sanitized example at: https://pastebin.com/D4vqKnLC
>
> It seems to be multi-rule meta, but all those sub-rules seem to check
> for mostly the same two things to my untrained eye:
>
> mimeheader      T_OBFU_HTML_ATTACH      Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i
> mimeheader      __KAM_VM5               Content-Type =~ /.s?html?\.?\"?($|;)/i
> mimeheader      __KAM_OCTET_PHISH1      Content-Type =~ /application\/octet-stream/i
>
> meta            KAM_OCTET_PHISH         ( __KAM_OCTET_PHISH1 + ( __KAM_VM5 + T_OBFU_HTML_ATTACH >= 1) >= 2 )
> describe        KAM_OCTET_PHISH         HTML File with the wrong MIME Type
> score           KAM_OCTET_PHISH         3.0
>
> That is on Debian Bullseye spamassassin 3.4.6-1 (with extra KAM rulesets).
>
> Can someone shed a light what is happening here, and is it supposed
> to be happening?
>
-- 
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171