On Tue, 9 Sep 2014, Marcin Mirosław wrote:
W dniu 09.09.2014 o 15:19, John Hardin pisze:
On Tue, 9 Sep 2014, Marcin Mirosław wrote:
Hi again,
I noticed FP on mentioned rule when checking ham email. Due to
confidential content I don't want to share it on ML. Is somebody willing
to improve mentioned rule or one case is not enough to look at it? If
somebody would like to look insight it I can send such email offlist.
I'll take a look.
Hi!
Thank you. FUZZY_PILL has high score so it would be great to lower
chance of FP.
Attached email is has partially, manually removed pdf attachment. I hope
I didn't break mime parts too much. Attached email still triggers
FUZZY_XPILL.
Regards,
Marcin
Is that email supposed to have an image attached to it? I note one of the
MIME parts has this:
Content-Type: text/plain; name="mpanic.png"
The content-type is wrong for a binary data attachment.
That attachment also doesn't appear to be a valid .PNG image file. Are you
actually able to view that as an image?
The FUZZY_XPILL hit is on what appears to be binary data in the message
body, likely due to that attachment being interpreted as body text due to
the MIME type. I can find what appears to be the matched string within the
mpanic.png file, but not anywhere in the actual text part of the message.
I think that you should contact whoever sent that message and have them
review how they are generating it. I'm reluctant to call this SA's fault
for trusting the MIME content type.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Phobias should not be the basis for laws.
-----------------------------------------------------------------------
8 days until the 227th anniversary of the signing of the U.S. Constitution
