On Thu, 5 Apr 2018, Kris Deugau wrote:
Alex wrote:
We're also seeing it hit mailer-daemon emails.
https://pastebin.com/raw/UXnzEN8U
This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect)
and when I re-ran it here locally, FUZZY_DR_OZ.
The problem is that it's hitting on the mime attachments which are
apparently treated as body text in mailer-daemon emails.
ran body rule FUZZY_AMBIEN ======> got hit: "GRm8iEn"
ran body rule __FUZZY_DR_OZ ======> got hit: "DGCGS+"
ran body rule FUZZY_XPILL ======> got hit: "xxgnoX"
If you look closely I expect you'll find that those are "poorly formatted"
postmaster notices; ie, any content from the original message is NOT
actually wrapped up in a separate MIME part, it's just another blob of text
stuffed in beside the actual postmaster notice info.
Even so, I'm surprised the Dr Oz rule hit *that*. I'll review it.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
At $8 billion per year, the TSA is the most expensive
theatrical production in history. -- David Burge @iowahawkblog
-----------------------------------------------------------------------
8 days until Thomas Jefferson's 275th Birthday
