You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2018/03/19 18:22:09 UTC

Direct download phish

Hi, I received an email that was tagged as spam for other reasons, but
I'd like to write a rule that catches the attempt to present a ZIP as
a PDF file.

href="https://securesite.fdsit.net/uu/Propuesta-estrategia.zip"
rel="noopener noreferrer" target=_blank><SPAN=20
style="TEXT-DECORATION: none; VERTICAL-ALIGN: bottom; COLOR= :
rgb(17,85,204)" dir=ltr>Propuesta-estrategia.pdf</SPAN></A>

How do I catch the variation in the URI description that differs from
the URI itself? I've tried something like the following, but it's not
right.

uri     _URI_ZIP_PDF m;https?://.{1,80}\.(zip|docx?).{0,40}\.pdf;i

Full email here
https://pastebin.com/NfSzv9Wa

Re: Direct download phish

Posted by Alex <my...@gmail.com>.

Hi,

On Mon, Mar 19, 2018 at 11:08 PM, Pedro David Marco
<pe...@yahoo.com> wrote:
> Hi Alex,
>
> There is a plugin that may help in here...
>
> https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html
>
> so a rule like this as a first protoype may help:
>
> uri_detail      FAKE_URL_FILE_TYPE       text =~ /\.pdf\b/i          cleaned
> =~ /\.(zip|docx)\b/i

Works a treat, thanks!

Re: Direct download phish

Posted by Pedro David Marco <pe...@yahoo.com>.

 Hi Alex, 
There is a plugin that may help in here...
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html

so a rule like this as a first protoype may help:
uri_detail      FAKE_URL_FILE_TYPE       text =~ /\.pdf\b/i          cleaned =~ /\.(zip|docx)\b/i



Regards/Saludos,
-----PedroD