Re: rawbody rule for a txt attachment

Wed, 14 Sep 2011 18:57:26 -0700 

On Wed, 14 Sep 2011, Jose Sanchez wrote:


Hello,

This is what I found on the headers, maybe is what you are referring to?

MIME-Version: 1.0
Content-Type: text/html
                charset="us-ascii"
X-Priority: 3
X-Mailer: ahmntvo_65
Message-ID: <0748119269.gq3b5r14926...@vbflxbkym.cqkoekaungmhnec.ru>
Content-Transfer-Encoding: quoted-printable

Thanks.
That message doesn't appear to _have_ any attachments, it appears to consist of just a single HTML text body part. Pretty basic, and SA shouldn't have any problems with it.
If you could post the entire message with all headers intact to a pastebin, and let us know what the domain you're trying to detect is, we might be able to provide some specific advice. 


----- Original Message -----
From: David B Funk <dbf...@engineering.uiowa.edu>
Sent: Wednesday, September 14, 2011 3:35 AM

On Tue, 13 Sep 2011, Jose Sanchez wrote:


Hello guys,

I would like to know how can I create a SA rule to search for a certain domain 
inside a .txt attachment. Im getting spam emails with no text on the body and 
.txt attachment only, the .txt attachment contains the spam email and I would 
like to tag it as spam if the attachment contains a certain domain on it.

Is this possible? If it isnt do you have any suggestions for mitigating this 
type of spam?

Thanks in advance!


I'm betting that your "txt attachment" is also MIME-typed in a way
to bypass SA, something like "Application/OCTET-STREAM"?

If it were properly MIME-typed as "Text/PLAIN" SA should automagically
decode it and place it in the text body to match normal rules.

These attachment-obfuscating spammers bork the MIME-typed to try
to prevent that and rely on the mail client's automagic guess-timation
decoding of the attachment as text due to the file's ending in ".txt"

So does anybody know of a way to get SA to treat these attachments
as text, inspite of the attachment-MIME-obfuscation?
It would be nice if Bayes, URIBL, etc tools could score their contents.


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Rights can only ever be individual, which means that you cannot
  gain a right by joining a mob, no matter how shiny the issued
  badges are, or how many of your neighbors are part of it.  -- Marko
-----------------------------------------------------------------------
 3 days until the 224th anniversary of the signing of the U.S. Constitution

Reply via email to