On Mon, 29 Sep 2014, Marcin Mirosław wrote:
W dniu 10.09.2014 o 06:57, John Hardin pisze:
On Tue, 9 Sep 2014, Marcin Mirosław wrote:
W dniu 09.09.2014 o 15:19, John Hardin pisze:
On Tue, 9 Sep 2014, Marcin Mirosław wrote:
Hi again,
I noticed FP on mentioned rule when checking ham email. Due to
confidential content I don't want to share it on ML. Is somebody
willing
to improve mentioned rule or one case is not enough to look at it? If
somebody would like to look insight it I can send such email offlist.
I'll take a look.
Hi!
Thank you. FUZZY_PILL has high score so it would be great to lower
chance of FP.
Attached email is has partially, manually removed pdf attachment. I hope
I didn't break mime parts too much. Attached email still triggers
FUZZY_XPILL.
Regards,
Marcin
Hi!
I'm sorry for huge delay in answer.
No problem.
Is that email supposed to have an image attached to it? I note one of
the MIME parts has this:
Content-Type: text/plain; name="mpanic.png"
The content-type is wrong for a binary data attachment.
That attachment also doesn't appear to be a valid .PNG image file. Are
you actually able to view that as an image?
$ file mpanic.png
mpanic.png: PNG image data, 684 x 750, 8-bit/color RGBA, non-interlaced
Okular doesn't have problem with this image, thunderbird also displays
it in message.
That's interesting. The tools on my linux dev box (including GIMP) claim
that it's corrupted. That's why I asked.
$ file mpanic.png
mpanic.png: data
$ od -c -t x1 mpanic.png | head -2
0000000 ? P N G \n 032 \n \0 \0 \0 \r I H D R \0
3f 50 4e 47 0a 1a 0a 00 00 00 0d 49 48 44 52 00
Does that match what you have?
As for TB displaying it in the message: I guess they are looking at the
attachment filename rather than the attachment MIME type.
The FUZZY_XPILL hit is on what appears to be binary data in the message
body, likely due to that attachment being interpreted as body text due
to the MIME type. I can find what appears to be the matched string
within the mpanic.png file, but not anywhere in the actual text part of
the message.
I think that you should contact whoever sent that message and have them
review how they are generating it. I'm reluctant to call this SA's fault
for trusting the MIME content type.
I'll try to contact but this is automated generated email with invoice.
I'm expecting that their can't modify buyed soft.
Then the vendor needs a bug report filed.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When people get used to preferential treatment,
equal treatment seems like discrimination. -- Thomas Sowell
-----------------------------------------------------------------------
5 days until the 10th anniversary of SpaceshipOne winning the X-prize
