On fre 17 sep 2010 00:30:27 CEST, Chris Owen wrote
1) From yahoo.com
2) Have a HTML attachment
3) Are base64 encoded
The html includes something like this, inside a comment. It's really
over a hundred escaped characters:
document.write(unescape("%3C%53%43%52%49%50%54%20%4C
and I think this matches it:
/document\.write\(unescape\(\"(\%..\%){10,}/
While unescape is a legitimate function, it's odd that a string would
start off with a lengthy series of escaped characters.
This seems to need a RAWBODY check to match. That's as far as I've
got.
Joseph Brennan
Columbia University Information Technology
