Re: fake base64 encoding

2017-02-02 Thread John Wilcock
Le 02/02/2017 à 15:50, RW a écrit : On Thu, 2 Feb 2017 05:43:24 -0500 Kevin A. McGrail wrote: ... I will score much higher since it is in the wild. Can you throw a spample up on pastebin? Perhaps text/html makes a big difference, but base64 encoded utf-8 text is not uncommon these days - part

Re: fake base64 encoding

2017-02-02 Thread RW
On Thu, 2 Feb 2017 05:43:24 -0500 Kevin A. McGrail wrote: > On 2/1/2017 11:30 PM, Pedro David Marco wrote: > > I did a similar rule to detect it but with higher score (3) since > > we are seeing a huge LinkedIn Phishing campaign using this > > technique, that on purpose or by mistake is evading mo

Re: fake base64 encoding

2017-02-02 Thread Kevin A. McGrail
On 2/2/2017 5:43 AM, Kevin A. McGrail wrote: On 2/1/2017 11:30 PM, Pedro David Marco wrote: I did a similar rule to detect it but with higher score (3) since we are seeing a huge LinkedIn Phishing campaign using this technique, that on purpose or by mistake is evading most SA rules... I will sc

Re: fake base64 encoding

2017-02-02 Thread Kevin A. McGrail
On 2/1/2017 11:30 PM, Pedro David Marco wrote: I did a similar rule to detect it but with higher score (3) since we are seeing a huge LinkedIn Phishing campaign using this technique, that on purpose or by mistake is evading most SA rules... I will score much higher since it is in the wild. Can

Re: fake base64 encoding

2017-02-01 Thread Pedro David Marco
Correction:  Some Outlook versions do show the email just as Thunderbird does.. so most users can see the email but SA... From: Pedro David Marco To: Kevin A. McGrail ; SA Mailing List Sent: Thursday, February 2, 2017 5:30 AM Subject: Re: fake base64 encoding Thanks Kevin, I

Re: fake base64 encoding

2017-02-01 Thread Pedro David Marco
Thanks Kevin, I did a similar rule to detect it but with higher score (3) since we are seeing a huge LinkedIn Phishing campaign using this technique, that on purpose or by mistake is evading most SA rules... I agree that Thunderbird may be doing it wrong. Outlook seems to do it right. >I would

Re: fake base64 encoding

2017-02-01 Thread Kevin A. McGrail
On 2/1/2017 9:35 PM, Kevin A. McGrail wrote: I agree. The test does not trigger The second test will trigger utf8_mode on Feb 1 21:29:32.246 [26958] dbg: message: HTML::Parser utf8_mode on (assumed UTF-8 octets) Content-Type: text/html; charset="utf-8" It makes sense since SA tries to decod

Re: fake base64 encoding

2017-02-01 Thread Kevin A. McGrail
On 2/1/2017 6:17 AM, Pedro David Marco wrote: Hi! i have noticed that when an email contains this (wrong) headers: Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 as SMTP headers, not MIME headers, and the email body is not base64 enconded, email clients as Thunderb