You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@spamassassin.apache.org by jh...@apache.org on 2012/07/26 03:03:38 UTC

svn commit: r1365860 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Thu Jul 26 01:03:38 2012
New Revision: 1365860

URL: http://svn.apache.org/viewvc?rev=1365860&view=rev
Log:
Relax HTML_ATTACH a bit, Content_Type header may not contain a filename; add HTML attachment obfu malware rule for zip MIME type + html filename

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1365860&r1=1365859&r2=1365860&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Thu Jul 26 01:03:38 2012
@@ -16,8 +16,10 @@ describe       RDNS_LOCALHOST  Sender's 
 #describe       EU_SPAM_LAW     Quoting "European Parliament" spam law
 
 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-  mimeheader   HTML_ATTACH    Content-Type =~ m,text/html;.+\.html?\b,i
-  describe     HTML_ATTACH    HTML attachment to bypass scanning?
+  mimeheader   __HTML_ATTACH_01    Content-Type =~ m,text/html;.+\.html?\b,i
+  mimeheader   __HTML_ATTACH_02    Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i
+  meta         HTML_ATTACH         __HTML_ATTACH_01 || __HTML_ATTACH_02
+  describe     HTML_ATTACH         HTML attachment to bypass scanning?
 
   mimeheader   OBFU_HTML_ATTACH    Content-Type =~ m,application/octet-stream;.+\.html?\b,i
   describe     OBFU_HTML_ATTACH    HTML attachment with non-text MIME type
@@ -53,6 +55,10 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
   meta         CTYPE_NULL          __CTYPE_NULL
   describe     CTYPE_NULL          Malformed Content-Type header
 
+  mimeheader   __ZIP_ATTACH_NOFN   Content-Type =~ m,application/zip$,i
+  meta         OBFU_HTML_ATT_MALW  __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
+  describe     OBFU_HTML_ATT_MALW  HTML attachment with incorrect MIME type - possible malware
+
 endif
 
 # general case of spample observation