On Wed, 25 Jul 2012, Chip M. wrote:
There's yet another variant in the ongoing campaign of HTML file
attachments with javascript malware payloads. :(
The trick is that it sets the Content-Type to "application/zip",
and uses an ".htm" file extension, for example (actual spam):
Content-Type: application/zip
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Wire_ID88283.htm"
Off the top of my head, untested:
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,application/zip$,i
mimeheader __HTML_ATTACH_FN Content-Disposition =~
m,\bfilename=.+\.html?\b,i
meta OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_FN
describe OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type -
possible malware
endif
This would be better-served by a plugin to check, per attachment, that the
MIME type is reasonable for the filename.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our government wants to do everything it can "for the children,"
except sparing them crushing tax burdens.
-----------------------------------------------------------------------
11 days until the rover Curiosity lands on Mars
