On 2010-03-01 15:39, John Hardin wrote:
[ About ExtractText.pm]
Jonas, what's the current status of that plugin? It looks pretty stable
to me.
It works fine here. Don't know how it works for others. I haven't tested
it with 3.3 yet.
And, can it extract from basic text attachments? I assum
On 03/03/2010 01:54 PM, John Hardin wrote:
>
> mimeheader OBFU_PDF_ATTACH Content-Type =~
> m,application/octet-stream;.+\.pdf\b,i
> describe OBFU_PDF_ATTACH PDF attachment with generic MIME type
> scoreOBFU_PDF_ATTACH 0.25
FYI I've noticed Outlook sends all PDF att
On Tue, 2 Mar 2010, John Hardin wrote:
Would you be willing to test this and see how well it does in practice?
{grumble} reply-to {grumble}
Sorry for spamming the list with this, it was meant just for Chip.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@im
On Tue, 2 Mar 2010, Chip M. wrote:
Since these started, they've had 19 of these phish:
1 "Bank of America"
1 "PayPaI"
1 "Paypal Inc."
1 "serv...@irs.gov"
1 "serv...@paypal.com"
1 "serv...@paypal.com"
3 "serv...@paypal.com"
1 "U.S. Bancorp"
1 "Wachovia"
1 "Wells Fargo Online"
1 Bank of
On Sun, 28 Feb 2010, LuKreme wrote:
> SPF!
>
>
You're a brave person. ;)
It's easier to understand the challenge Dave faces, if we look at
some actual From headers.
In my stream, these started in early November of last year, so I
just checked a few months of data from one domain which has h
On 01-Mar-10 12:45, David B Funk wrote:
AFAIK SA ignores 'octet/binary' attachments for the rule engine. None of
the rules that I tried (uri, body, full, rawbody) "saw" anything that was
known to be in one of those attachments.
So there was no paypal info (spoofed) in the headers at all?
But y
On Mon, 1 Mar 2010, Charles Gregory wrote:
On Mon, 1 Mar 2010, David B Funk wrote:
> Looks like he may have to use a 'full' test to look for the references
> to
> paypal
Been there, done that, doesn't work.
AFAIK SA ignores 'octet/binary' attachments for the rule engine. None of
the
On Mon, 1 Mar 2010, David B Funk wrote:
Looks like he may have to use a 'full' test to look for the references to
paypal
Been there, done that, doesn't work.
AFAIK SA ignores 'octet/binary' attachments for the rule engine. None of
the rules that I tried (uri, body, full, rawbody) "saw" anyth
On Mon, 1 Mar 2010, Charles Gregory wrote:
> On Sun, 28 Feb 2010, LuKreme wrote:
> > Your best bet is to check if mail claiming to be from paypal is, in fact,
> > from paypal.
>
> Actually, I think his problem is that the reference to paypal has been
> buried in an attachment, described as 'type'
On Sun, 28 Feb 2010, LuKreme wrote:
> On 28-Feb-10 17:25, David B Funk wrote:
> > I'm seeing a spate of PayPal/bank phishes that use an html attachment
> > (base-64 encoded) as the vehicle for the payload.
>
> SPF!
>
>
Actually I'm happy to utilize SPF when I can. But westernunion.com
doesn't pu
On Sun, 28 Feb 2010, LuKreme wrote:
Your best bet is to check if mail claiming to be from paypal is, in fact,
from paypal.
Actually, I think his problem is that the reference to paypal has been
buried in an attachment, described as 'type' of 'octet/binary' so that SA
won't think it is text an
On Mon, 1 Mar 2010, Benny Pedersen wrote:
On man 01 mar 2010 02:37:37 CET, John Hardin wrote
I've suggested this before, but the current position appears to be "if the
MUA doesn't display it automatically, why should we scan it?"
same goes for "just enter this url" when the sender was tired
On 28-Feb-10 17:25, David B Funk wrote:
I'm seeing a spate of PayPal/bank phishes that use an html attachment
(base-64 encoded) as the vehicle for the payload.
SPF!
Is there any way to get SA to treat that attachment as text to feed to
the rule engine?
Your best bet is to check if mail cl
On man 01 mar 2010 02:37:37 CET, John Hardin wrote
I've suggested this before, but the current position appears to be
"if the MUA doesn't display it automatically, why should we scan it?"
same goes for "just enter this url" when the sender was tired of doing
it right, fuzzyocr solved this
On Sun, 28 Feb 2010, David B Funk wrote:
Is there any way to get SA to treat that attachment as text to feed to
the rule engine?
I've suggested this before, but the current position appears to be "if the
MUA doesn't display it automatically, why should we scan it?"
Justin, I would respectfu
I'm seeing a spate of PayPal/bank phishes that use an html attachment
(base-64 encoded) as the vehicle for the payload.
The body has some innocuous verbiage about problems with the recipients
account and an admonition to complete the attached form to remove
the "limitations".
The attached form is
16 matches
Mail list logo
