From rlahti at stellarbb.com Tue Dec 6 18:09:50 2022 From: rlahti at stellarbb.com (Russell Lahti) Date: Tue, 6 Dec 2022 18:09:50 +0000 Subject: HTML Attachments and Allow Script Tags = disarm Message-ID: I?ve been under the impression that the ?Allow Script Tags? parameter applied to attachments, but it seems to not be the case if you use the ?disarm? value. Mailscanner accurately detects that there is a script tag in the html attachment, but the disarm functionality seems to be limited to the email body only, and not to the attachments. I tracked this down to Message.pm, where DisarmHTMLEntity is only ever called once, and only if the entity is *not* an attachment: if ($entity->head->mime_attr('content-disposition') !~ /attachment/i && $entity->head->mime_attr('content-type') =~ /text\/html/i) { I modified this to also apply to attachments, and confirmed that it did disarm as expected. I was just curious why there was a difference between the initial detection of the presence of the script tag in SweepContent.pm, and the subsequent handling of that script tag in Message.pm? Is this the expected behavior? I?m aware of options for blocking and tagging of html attachments utilizing sa, and that handling of attachments is different from message body, but was curious about this specific scenario which seemed like a discrepancy to me. Thank you, -Russell -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner-list at okla.com Tue Dec 13 04:38:28 2022 From: mailscanner-list at okla.com (OKLA Mailscanner) Date: Mon, 12 Dec 2022 22:38:28 -0600 Subject: Geek Squad phishing images etc - FuzzyOcr or ??? In-Reply-To: References: <035901d90119$c8926db0$59b74910$@okla.com> Message-ID: <015701d90eac$bf3314e0$3d993ea0$@okla.com> Anybody ? From: Shawn Iverson [mailto:shawniverson at gmail.com] Sent: Saturday, November 26, 2022 10:35 AM To: MailScanner Discussion Cc: OKLA Mailscanner Subject: Re: Geek Squad phishing images etc - FuzzyOcr or ??? Interested as well. I'm getting to the point I'll need to somehow scan these images that are evading detection. There is a mass deluge of them from Google servers all hours of the day. On Fri, Nov 25, 2022 at 5:04 PM OKLA Mailscanner via MailScanner > wrote: What are you all finding works best at combatting these stupid Geek Squad phishing emails that are usually 3 words of text and an image? Is FuzzyOCR plugin for SA currently a viable option or is there a better way? Thanks! Tracy Virus-free. www.avast.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- This email has been checked for viruses by Avast antivirus software. www.avast.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner-list at okla.com Tue Dec 13 18:37:10 2022 From: mailscanner-list at okla.com (Tracy Greggs) Date: Tue, 13 Dec 2022 18:37:10 +0000 Subject: Geek Squad phishing images etc - FuzzyOcr or ??? In-Reply-To: References: <035901d90119$c8926db0$59b74910$@okla.com> <015701d90eac$bf3314e0$3d993ea0$@okla.com> Message-ID: Agreed. ------ Original Message ------ >From "Shawn Iverson" To "MailScanner Discussion" Cc "OKLA Mailscanner" Date 12/13/2022 12:31:42 PM Subject Re: Geek Squad phishing images etc - FuzzyOcr or ??? >You might try the Spamassassin Users list with this same question. I >think it is a much larger community and this does relate to using an SA >plugin. > >On Mon, Dec 12, 2022 at 11:39 PM OKLA Mailscanner via MailScanner > wrote: >>Anybody ? >> >> >> >>From: Shawn Iverson [mailto:shawniverson at gmail.com] >>Sent: Saturday, November 26, 2022 10:35 AM >>To: MailScanner Discussion >>Cc: OKLA Mailscanner >>Subject: Re: Geek Squad phishing images etc - FuzzyOcr or ??? >> >> >> >>Interested as well. I'm getting to the point I'll need to somehow >>scan these images that are evading detection. There is a mass deluge >>of them from Google servers all hours of the day. >> >> >> >>On Fri, Nov 25, 2022 at 5:04 PM OKLA Mailscanner via MailScanner >> wrote: >> >>>What are you all finding works best at combatting these stupid Geek >>>Squad phishing emails that are usually 3 words of text and an image? >>> >>> >>> >>>Is FuzzyOCR plugin for SA currently a viable option or is there a >>>better way? >>> >>> >>> >>>Thanks! >>> >>>Tracy >>> >>> >>> >>> >>> >>> >>> >>>Virus-free.www.avast.com >>> >>> >>> >>> >>>-- >>>MailScanner mailing list >>>mailscanner at lists.mailscanner.info >>>http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >> >> >>-- >>MailScanner mailing list >>mailscanner at lists.mailscanner.info >>http://lists.mailscanner.info/mailman/listinfo/mailscanner >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Wed Dec 14 00:50:25 2022 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 14 Dec 2022 00:50:25 +0000 Subject: Geek Squad phishing images etc - FuzzyOcr or ??? In-Reply-To: References: <035901d90119$c8926db0$59b74910$@okla.com> <015701d90eac$bf3314e0$3d993ea0$@okla.com>

Message-ID: Please do let us know if you find something that works on the problem. Saves us some research. -- Jerry Benton www.mailborder.com +1 843-800-8605 From: MailScanner on behalf of Tracy Greggs via MailScanner Date: Tuesday, December 13, 2022 at 13:37 To: 'MailScanner Discussion' Cc: Tracy Greggs Subject: Re[2]: Geek Squad phishing images etc - FuzzyOcr or ??? Agreed. ------ Original Message ------ >From "Shawn Iverson" > To "MailScanner Discussion" > Cc "OKLA Mailscanner" > Date 12/13/2022 12:31:42 PM Subject Re: Geek Squad phishing images etc - FuzzyOcr or ??? You might try the Spamassassin Users list with this same question. I think it is a much larger community and this does relate to using an SA plugin. On Mon, Dec 12, 2022 at 11:39 PM OKLA Mailscanner via MailScanner > wrote: Anybody ? From: Shawn Iverson [mailto:shawniverson at gmail.com] Sent: Saturday, November 26, 2022 10:35 AM To: MailScanner Discussion > Cc: OKLA Mailscanner > Subject: Re: Geek Squad phishing images etc - FuzzyOcr or ??? Interested as well. I'm getting to the point I'll need to somehow scan these images that are evading detection. There is a mass deluge of them from Google servers all hours of the day. On Fri, Nov 25, 2022 at 5:04 PM OKLA Mailscanner via MailScanner > wrote: What are you all finding works best at combatting these stupid Geek Squad phishing emails that are usually 3 words of text and an image? Is FuzzyOCR plugin for SA currently a viable option or is there a better way? Thanks! Tracy [https://s-install.avcdn.net/ipm/preview/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif] Virus-free.www.avast.com -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner-list at okla.com Wed Dec 14 02:35:08 2022 From: mailscanner-list at okla.com (Tracy Greggs) Date: Wed, 14 Dec 2022 02:35:08 +0000 Subject: Geek Squad phishing images etc - FuzzyOcr or ??? In-Reply-To: References: <035901d90119$c8926db0$59b74910$@okla.com> <015701d90eac$bf3314e0$3d993ea0$@okla.com>

Message-ID: Will do. Not my highest priority at the moment but should have time to dive into it enough over the next couple of weeks. Tracy Greggs ------ Original Message ------ >From "Jerry Benton" To "MailScanner Discussion" Date 12/13/2022 6:50:25 PM Subject Re: Re[2]: Geek Squad phishing images etc - FuzzyOcr or ??? >Please do let us know if you find something that works on the problem. >Saves us some research. > > > > > >-- > >Jerry Benton > >www.mailborder.com > >+1 843-800-8605 > > > > > >From: MailScanner > >on behalf of Tracy Greggs via MailScanner > >Date: Tuesday, December 13, 2022 at 13:37 >To: 'MailScanner Discussion' >Cc: Tracy Greggs >Subject: Re[2]: Geek Squad phishing images etc - FuzzyOcr or ??? > >Agreed. > > > > > >------ Original Message ------ > >From "Shawn Iverson" > >To "MailScanner Discussion" > >Cc "OKLA Mailscanner" > >Date 12/13/2022 12:31:42 PM > >Subject Re: Geek Squad phishing images etc - FuzzyOcr or ??? > > > >>You might try the Spamassassin Users list with this same question. I >>think it is a much larger community and this does relate to using an >>SA plugin. >> >> >> >>On Mon, Dec 12, 2022 at 11:39 PM OKLA Mailscanner via MailScanner >> wrote: >> >>>Anybody ? >>> >>> >>> >>>From: Shawn Iverson [mailto:shawniverson at gmail.com] >>>Sent: Saturday, November 26, 2022 10:35 AM >>>To: MailScanner Discussion >>>Cc: OKLA Mailscanner >>>Subject: Re: Geek Squad phishing images etc - FuzzyOcr or ??? >>> >>> >>> >>>Interested as well. I'm getting to the point I'll need to somehow >>>scan these images that are evading detection. There is a mass deluge >>>of them from Google servers all hours of the day. >>> >>> >>> >>>On Fri, Nov 25, 2022 at 5:04 PM OKLA Mailscanner via MailScanner >>> wrote: >>> >>>>What are you all finding works best at combatting these stupid Geek >>>>Squad phishing emails that are usually 3 words of text and an image? >>>> >>>> >>>> >>>>Is FuzzyOCR plugin for SA currently a viable option or is there a >>>>better way? >>>> >>>> >>>> >>>>Thanks! >>>> >>>>Tracy >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>Virus-free.www.avast.com >>>> >>>> >>>> >>>> >>>>-- >>>>MailScanner mailing list >>>>mailscanner at lists.mailscanner.info >>>>http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>> >>> >>>-- >>>MailScanner mailing list >>>mailscanner at lists.mailscanner.info >>>http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmgorro at gmail.com Thu Dec 15 07:46:40 2022 From: jmgorro at gmail.com (Josep M Gorro) Date: Thu, 15 Dec 2022 08:46:40 +0100 Subject: Rule file for subject Message-ID: Hello. The parameter "Content Subject Text" allows to add to the mails subject an string warning recipient the message has been disarmed. As this parameter allows rule file usage, is it possible to add some text only when it is not present on subject yet? The final goal is avoid that "Disarmed" string appears several times when a long mail chain is processed. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From steveb_clamav at sanesecurity.com Thu Dec 15 14:07:36 2022 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Thu, 15 Dec 2022 14:07:36 +0000 Subject: Geek Squad phishing images etc - FuzzyOcr or ??? In-Reply-To: <035901d90119$c8926db0$59b74910$@okla.com> References: <035901d90119$c8926db0$59b74910$@okla.com> Message-ID: <185161cac40.279d.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> On 25 November 2022 22:03:58 OKLA Mailscanner via MailScanner wrote: > What are you all finding works best at combatting these stupid Geek Squad > phishing emails that are usually 3 words of text and an image? > > > > Is FuzzyOCR plugin for SA currently a viable option or is there a better way? > > > > Thanks! Could you zip up a few samples of the whole message Geek Squads... (Redact where necessary) to: samples at sanesecurity.org.uk > Cheers, Steve SaneSecurity.com Twitter: @sanesecurity -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner-list at okla.com Thu Dec 15 14:47:57 2022 From: mailscanner-list at okla.com (Tracy Greggs) Date: Thu, 15 Dec 2022 14:47:57 +0000 Subject: Geek Squad phishing images etc - FuzzyOcr or ??? In-Reply-To: <185161cac40.279d.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> References: <035901d90119$c8926db0$59b74910$@okla.com> <185161cac40.279d.3eaa884a23ece66aada06ae82ee56aba@sanesecurity.com> Message-ID: Done. Thanks for the interest Steve. Tracy Greggs ------ Original Message ------ >From "Steve Basford via MailScanner" To "MailScanner Discussion" Cc "Steve Basford" Date 12/15/2022 8:07:36 AM Subject Re: Geek Squad phishing images etc - FuzzyOcr or ??? >On 25 November 2022 22:03:58 OKLA Mailscanner via MailScanner > wrote: > >>What are you all finding works best at combatting these stupid Geek >>Squad phishing emails that are usually 3 words of text and an image? >> >> >> >>Is FuzzyOCR plugin for SA currently a viable option or is there a >>better way? >> >> >> >>Thanks! >> > >Could you zip up a few samples of the whole message Geek Squads... >(Redact where necessary) to: > >samples at sanesecurity.org.uk >> > >Cheers, > >Steve >SaneSecurity.com >Twitter: @sanesecurity -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at andew.org.uk Mon Dec 19 20:43:08 2022 From: andrew at andew.org.uk (Andrew Pearce) Date: Mon, 19 Dec 2022 20:43:08 +0000 Subject: Installation error now that spamassasin 4.0.0 is available Message-ID: <2f08097569c11ce95f2b3749917267cc@andew.org.uk> Hi Just tried upgrading my mailscanner installation and now the new version of spamassassin is available i'm now getting the following error:- --> Working on Mail::SpamAssassin Fetching http://www.cpan.org/authors/id/S/SI/SIDNEY/Mail-SpamAssassin-4.0.0.tar.gz ... OK Configuring Mail-SpamAssassin-4.000000 ... OK Building and testing Mail-SpamAssassin-4.000000 ... Terminated Is there any build that works with the new version? Regards Andrew -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andrew at andew.org.uk Tue Dec 20 10:19:18 2022 From: andrew at andew.org.uk (Andrew Pearce) Date: Tue, 20 Dec 2022 10:19:18 +0000 Subject: Installation error now that spamassasin 4.0.0 is available In-Reply-To: <2f08097569c11ce95f2b3749917267cc@andew.org.uk> References: <2f08097569c11ce95f2b3749917267cc@andew.org.uk> Message-ID: <22ce742d551531c792881c27f6b54dd8@andew.org.uk> On 19/12/2022 20:43, Andrew Pearce wrote: > Hi > > Just tried upgrading my mailscanner installation and now the new > version of spamassassin is available i'm now getting the following > error:- > > --> Working on Mail::SpamAssassin > Fetching > http://www.cpan.org/authors/id/S/SI/SIDNEY/Mail-SpamAssassin-4.0.0.tar.gz > ... OK > Configuring Mail-SpamAssassin-4.000000 ... OK > Building and testing Mail-SpamAssassin-4.000000 ... Terminated > > Is there any build that works with the new version? > > Regards > > Andrew Hi Futher to that email, should of say i've tried the latest download from github. Currently trying to run MailScanner on Almalinux 9 ( RHEL clone ) Regards Andrew From xserverlinux at gmail.com Tue Dec 20 16:36:43 2022 From: xserverlinux at gmail.com (Rick Gutierrez) Date: Tue, 20 Dec 2022 10:36:43 -0600 Subject: Installation error now that spamassasin 4.0.0 is available In-Reply-To: <22ce742d551531c792881c27f6b54dd8@andew.org.uk> References: <2f08097569c11ce95f2b3749917267cc@andew.org.uk> <22ce742d551531c792881c27f6b54dd8@andew.org.uk> Message-ID: El El mar, 20 de dic. de 2022 a la(s) 04:19, Andrew Pearce < andrew at andew.org.uk> escribi?: > > > On 19/12/2022 20:43, Andrew Pearce wrote: > > Hi > > > > Just tried upgrading my mailscanner installation and now the new > > version of spamassassin is available i'm now getting the following > > error:- > > > > --> Working on Mail::SpamAssassin > > Fetching > > > http://www.cpan.org/authors/id/S/SI/SIDNEY/Mail-SpamAssassin-4.0.0.tar.gz > > ... OK > > Configuring Mail-SpamAssassin-4.000000 ... OK > > Building and testing Mail-SpamAssassin-4.000000 ... Terminated > > > > Is there any build that works with the new version? > > > > Regards > > > Hi, I have the same situation in a centos 7, I have yet to do my tests in almalinux . -- rickygm http://gnuforever.homelinux.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at andew.org.uk Wed Dec 21 19:04:50 2022 From: andrew at andew.org.uk (Andrew Pearce) Date: Wed, 21 Dec 2022 19:04:50 +0000 Subject: Installation error now that spamassasin 4.0.0 is available In-Reply-To: References: <2f08097569c11ce95f2b3749917267cc@andew.org.uk> <22ce742d551531c792881c27f6b54dd8@andew.org.uk> Message-ID: <7f572aafdf6b60d762ab1575860d19c7@andew.org.uk> On 20/12/2022 16:36, Rick Gutierrez wrote: > El El mar, 20 de dic. de 2022 a la(s) 04:19, Andrew Pearce > escribi?: > >> On 19/12/2022 20:43, Andrew Pearce wrote: >>> Hi >>> >>> Just tried upgrading my mailscanner installation and now the new >>> version of spamassassin is available i'm now getting the following >> >>> error:- >>> >>> --> Working on Mail::SpamAssassin >>> Fetching >>> >> > http://www.cpan.org/authors/id/S/SI/SIDNEY/Mail-SpamAssassin-4.0.0.tar.gz >> >>> ... OK >>> Configuring Mail-SpamAssassin-4.000000 ... OK >>> Building and testing Mail-SpamAssassin-4.000000 ... Terminated >>> >>> Is there any build that works with the new version? >>> >>> Regards >>> > > Hi, I have the same situation in a centos 7, I have yet to do my > tests in almalinux . > > -- > rickygm > > http://gnuforever.homelinux.com Hi I got my installation to work with running the following command as it looks like Zlib wasnt fully updated cpanm --uninstall IO::Compress::Zlib::Extra Regards Andrew -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From xserverlinux at gmail.com Fri Dec 30 01:17:02 2022 From: xserverlinux at gmail.com (Rick Gutierrez) Date: Thu, 29 Dec 2022 19:17:02 -0600 Subject: Installation error now that spamassasin 4.0.0 is available In-Reply-To: <7f572aafdf6b60d762ab1575860d19c7@andew.org.uk> References: <2f08097569c11ce95f2b3749917267cc@andew.org.uk> <22ce742d551531c792881c27f6b54dd8@andew.org.uk> <7f572aafdf6b60d762ab1575860d19c7@andew.org.uk> Message-ID: El mi?, 21 dic 2022 a las 13:04, Andrew Pearce () escribi?: > > Hi > > I got my installation to work with running the following command as it > looks like Zlib wasnt fully updated > > cpanm --uninstall IO::Compress::Zlib::Extra > > thank Andrew . -- rickygm http://gnuforever.homelinux.com