Thanks. I responded off-list to you and Questions about the KAM
ruleset are best submitted at
https://raptor.pccc.com/raptor.cgim?template=report_problem
Regards,
KAM
On 9/2/2022 2:11 AM, Matija Nalis wrote:
Some of legitimate mails here are being hit with rather high KAM_OCTET_PHISH=3
it seems to trigger when I have both text/html and application/octet-stream
MIME parts.
reduced/sanitized example at: https://pastebin.com/D4vqKnLC
It seems to be multi-rule meta, but all those sub-rules seem to check
for mostly the same two things to my untrained eye:
mimeheader T_OBFU_HTML_ATTACH Content-Type =~
m,\bapplication/octet-stream\b.+\.s?html?\b,i
mimeheader __KAM_VM5 Content-Type =~ /.s?html?\.?\"?($|;)/i
mimeheader __KAM_OCTET_PHISH1 Content-Type =~
/application\/octet-stream/i
meta KAM_OCTET_PHISH ( __KAM_OCTET_PHISH1 + ( __KAM_VM5 +
T_OBFU_HTML_ATTACH >= 1) >= 2 )
describe KAM_OCTET_PHISH HTML File with the wrong MIME Type
score KAM_OCTET_PHISH 3.0
That is on Debian Bullseye spamassassin 3.4.6-1 (with extra KAM rulesets).
Can someone shed a light what is happening here, and is it supposed
to be happening?
--
Kevin A. McGrail
kmcgr...@apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
