On Mon, 7 Feb 2022, Loren Wilton wrote:
But, it had:
* 2.5 CONTENT_AFTER_HTML More content after HTML close tag
but one was only text/plain and I could see nothing wrong. reading
72_active.cf I found:
rawbody __CONTENT_AFTER_HTML /<\/htnl>\s*[a-z0-9]/i
>
which fires on a text/plain part that discusses html formatting!
Note you show __CONTENT_AFTER_HTML and CONTENT_AFTER_HTML, which are not the
same rule. I suspect the meta for CONTENT_AFTER_HTML contains some other
things that should in theory make it not hit in this case.
I've personally never seen this rule hit, and didn't know it existed. Are you
sure it isn't a local rule? I have a rule of my own that gives 1 point for
extra trash after the /html end tag. I see it frequently on spam and UCE that
has a tracking tag in the HTML section after the official end of the html.
No, I added that after observing multiple spams with random garbage after
the closing HTML tag in the HTML body part. Presumably it was an attempt
at Bayes poison, checksum avoidance, or some other filter evasion
technique.
I'll tighten it up.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
-----------------------------------------------------------------------
5 days until Abraham Lincoln's and Charles Darwin's 213th Birthdays
