You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2018/03/19 18:22:09 UTC
Direct download phish
Hi, I received an email that was tagged as spam for other reasons, but
I'd like to write a rule that catches the attempt to present a ZIP as
a PDF file.
href="https://securesite.fdsit.net/uu/Propuesta-estrategia.zip"
rel="noopener noreferrer" target=_blank><SPAN=20
style="TEXT-DECORATION: none; VERTICAL-ALIGN: bottom; COLOR= :
rgb(17,85,204)" dir=ltr>Propuesta-estrategia.pdf</SPAN></A>
How do I catch the variation in the URI description that differs from
the URI itself? I've tried something like the following, but it's not
right.
uri _URI_ZIP_PDF m;https?://.{1,80}\.(zip|docx?).{0,40}\.pdf;i
Full email here
https://pastebin.com/NfSzv9Wa
Re: Direct download phish
Posted by Alex <my...@gmail.com>.
Hi,
On Mon, Mar 19, 2018 at 11:08 PM, Pedro David Marco
<pe...@yahoo.com> wrote:
> Hi Alex,
>
> There is a plugin that may help in here...
>
> https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html
>
> so a rule like this as a first protoype may help:
>
> uri_detail FAKE_URL_FILE_TYPE text =~ /\.pdf\b/i cleaned
> =~ /\.(zip|docx)\b/i
Works a treat, thanks!
Re: Direct download phish
Posted by Pedro David Marco <pe...@yahoo.com>.
Hi Alex,
There is a plugin that may help in here...
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html
so a rule like this as a first protoype may help:
uri_detail FAKE_URL_FILE_TYPE text =~ /\.pdf\b/i cleaned =~ /\.(zip|docx)\b/i
Regards/Saludos,
-----PedroD