You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2012/07/26 03:03:38 UTC
svn commit: r1365860 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Thu Jul 26 01:03:38 2012
New Revision: 1365860
URL: http://svn.apache.org/viewvc?rev=1365860&view=rev
Log:
Relax HTML_ATTACH a bit, Content_Type header may not contain a filename; add HTML attachment obfu malware rule for zip MIME type + html filename
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1365860&r1=1365859&r2=1365860&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Thu Jul 26 01:03:38 2012
@@ -16,8 +16,10 @@ describe RDNS_LOCALHOST Sender's
#describe EU_SPAM_LAW Quoting "European Parliament" spam law
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader HTML_ATTACH Content-Type =~ m,text/html;.+\.html?\b,i
- describe HTML_ATTACH HTML attachment to bypass scanning?
+ mimeheader __HTML_ATTACH_01 Content-Type =~ m,text/html;.+\.html?\b,i
+ mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i
+ meta HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02
+ describe HTML_ATTACH HTML attachment to bypass scanning?
mimeheader OBFU_HTML_ATTACH Content-Type =~ m,application/octet-stream;.+\.html?\b,i
describe OBFU_HTML_ATTACH HTML attachment with non-text MIME type
@@ -53,6 +55,10 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
meta CTYPE_NULL __CTYPE_NULL
describe CTYPE_NULL Malformed Content-Type header
+ mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,application/zip$,i
+ meta OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
+ describe OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware
+
endif
# general case of spample observation