Some of legitimate mails here are being hit with rather high KAM_OCTET_PHISH=3

it seems to trigger when I have both text/html and application/octet-stream
MIME parts.

reduced/sanitized example at: https://pastebin.com/D4vqKnLC

It seems to be multi-rule meta, but all those sub-rules seem to check
for mostly the same two things to my untrained eye:

mimeheader      T_OBFU_HTML_ATTACH      Content-Type =~ 
m,\bapplication/octet-stream\b.+\.s?html?\b,i
mimeheader      __KAM_VM5               Content-Type =~ /.s?html?\.?\"?($|;)/i
mimeheader      __KAM_OCTET_PHISH1      Content-Type =~ 
/application\/octet-stream/i

meta            KAM_OCTET_PHISH         ( __KAM_OCTET_PHISH1 + ( __KAM_VM5 + 
T_OBFU_HTML_ATTACH >= 1) >= 2 )
describe        KAM_OCTET_PHISH         HTML File with the wrong MIME Type
score           KAM_OCTET_PHISH         3.0

That is on Debian Bullseye spamassassin 3.4.6-1 (with extra KAM rulesets).

Can someone shed a light what is happening here, and is it supposed
to be happening?

-- 
Opinions above are GNU-copylefted.

Reply via email to