You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by John Hardin <jh...@impsec.org> on 2009/08/11 03:24:25 UTC
Include text attachments in RAWBODY and BODY?
Folks:
I just got a 419/fillform spam where the bulk of the message was in a
base64-encoded plain text attachment. This effectively bypassed the many
BODY and RAWBODY tests that would have hit on the text had it been
included in the message body.
Should plain text attachments be scanned as regular message parts?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Think Microsoft cares about your needs at all?
"A company wanted to hold off on upgrading Microsoft Office for a
year in order to do other projects. So Microsoft gave a 'free' copy
of the new Office to the CEO -- a copy that of course generated
errors for anyone else in the firm reading his documents. The CEO
got tired of getting the 'please re-send in XX format' so he
ordered other projects put on hold and the Office upgrade to be top
priority." -- Cringely, 4/8/2004
-----------------------------------------------------------------------
5 days until the 64th anniversary of the end of World War II
Re: Include text attachments in RAWBODY and BODY?
Posted by John Hardin <jh...@impsec.org>.
On Tue, 11 Aug 2009, Justin Mason wrote:
> is it visible in the default MUA rendering when you open the message, or
> do you have to click on the attachment to display it? If the former, we
> should probably include it in body/rawbody. If the latter, we generally
> do not.
Good catch, I didn't notice that initially...
The MIME header for the attachment is probably useful as a spam sign:
------=_NextPart_000_00E6_01C2A9A6.096DB722
Content-Type: application/octet-stream; name="Yahoo Awards Center.txt"
Content-Disposition: attachment; filename="Yahoo Awards Center.txt"
Content-Transfer-Encoding: base64
A .txt file attached as application/octet-stream is certainly valid but
probably quite unusual. I've put a rule for this into my sandbox, we'll
see how it does.
I don't know whether SA should trust the filename extension in this
situation.
> On Tue, Aug 11, 2009 at 02:24, John Hardin<jh...@impsec.org> wrote:
>
>> Folks:
>>
>> I just got a 419/fillform spam where the bulk of the message was in a
>> base64-encoded plain text attachment. This effectively bypassed the
>> many BODY and RAWBODY tests that would have hit on the text had it been
>> included in the message body.
>>
>> Should plain text attachments be scanned as regular message parts?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The difference is that Unix has had thirty years of technical
types demanding basic functionality of it. And the Macintosh has
had fifteen years of interface fascist users shaping its progress.
Windows has the hairpin turns of the Microsoft marketing machine
and that's all. -- Red Drag Diva
-----------------------------------------------------------------------
4 days until the 64th anniversary of the end of World War II
Re: Include text attachments in RAWBODY and BODY?
Posted by Justin Mason <jm...@jmason.org>.
is it visible in the default MUA rendering when you open the message,
or do you have to click on the attachment to display it?
If the former, we should probably include it in body/rawbody. If the
latter, we generally do not.
--j.
On Tue, Aug 11, 2009 at 02:24, John Hardin<jh...@impsec.org> wrote:
>
> Folks:
>
> I just got a 419/fillform spam where the bulk of the message was in a
> base64-encoded plain text attachment. This effectively bypassed the many
> BODY and RAWBODY tests that would have hit on the text had it been included
> in the message body.
>
> Should plain text attachments be scanned as regular message parts?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Think Microsoft cares about your needs at all?
> "A company wanted to hold off on upgrading Microsoft Office for a
> year in order to do other projects. So Microsoft gave a 'free' copy
> of the new Office to the CEO -- a copy that of course generated
> errors for anyone else in the firm reading his documents. The CEO
> got tired of getting the 'please re-send in XX format' so he
> ordered other projects put on hold and the Office upgrade to be top
> priority." -- Cringely, 4/8/2004
> -----------------------------------------------------------------------
> 5 days until the 64th anniversary of the end of World War II
>
>
--
--j.
Re: Include text attachments in RAWBODY and BODY?
Posted by John Hardin <jh...@impsec.org>.
On Tue, 11 Aug 2009, Karsten Br�ckelmann wrote:
>> I just got a 419/fillform spam where the bulk of the message was in a
>> base64-encoded plain text attachment. This effectively bypassed the
>> many BODY and RAWBODY tests that would have hit on the text had it been
>> included in the message body.
>>
>> Should plain text attachments be scanned as regular message parts?
>
> Sample?
http://www.impsec.org/~jhardin/antispam/samples/body_text_as_octet_attachment.txt
> As I understand the docs, both are supposed to include all text parts.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The difference is that Unix has had thirty years of technical
types demanding basic functionality of it. And the Macintosh has
had fifteen years of interface fascist users shaping its progress.
Windows has the hairpin turns of the Microsoft marketing machine
and that's all. -- Red Drag Diva
-----------------------------------------------------------------------
4 days until the 64th anniversary of the end of World War II
Re: Include text attachments in RAWBODY and BODY?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> I just got a 419/fillform spam where the bulk of the message was in a
> base64-encoded plain text attachment. This effectively bypassed the many
> BODY and RAWBODY tests that would have hit on the text had it been
> included in the message body.
>
> Should plain text attachments be scanned as regular message parts?
Sample?
As I understand the docs, both are supposed to include all text parts.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}