On Wed, 31 Aug 2016, Chip M. wrote:
Freshly caught Spample:
http://puffin.net/software/spam/samples/0042_data_embedded_phish.txt
The only munging was inserting ".EXAMPLE" between "wellsfargo"
and ".com".
** Mitigation:
The easiest way to catch these is with a simple body word match.
Here's the exact matches I am currently using (some of them are
recent additions, listed in date of addition order):
href="data:
href='data:
http://data:
data:text/html;base64
<DEFANGED_IMG src="data:
hta:application
That was added to the sandbox in 2012 (I read SANS too...):
https://svn.apache.org/viewvc?view=revision&revision=1378630
but it isn't performing well enough to be published:
http://ruleqa.spamassassin.org/20160902-r1758905-n/T_URI_DATA/detail
I've tweaked the FP avoidance a bit, maybe that will be enough to get the
S/O up high enough to publish it.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...a great many people are not fit for Liberty, it scares the crap
out of them and they'd much rather be ruled. As Loki said in the
Avengers movie, kneeling is their natural state. -- Mark D @ TSM
-----------------------------------------------------------------------
14 days until the 229th anniversary of the signing of the U.S. Constitution
