shtml attachment files ?
Shawn Iverson
shawniverson at summitgrid.com
Mon Sep 26 11:18:15 UTC 2022
Got in a hurry...left off the rule name...
mimeheader MYHTMLRULE Content-Disposition =~ /attachment;
filename=\".*\.html\"/
describe MYHTMLRULE HTML attachment, not safe!
score MYHTMLRULE 10.0
On 9/26/22 07:11, Shawn Iverson via MailScanner wrote:
>
> No. The code that does this isn't even MailScanner itself. It is
> MIME::Parser when the Explode* methods are called. Changing this
> behavior would mean mostly likely rewriting that perl module.
>
> The problem you are running into is that the filename blocking is not
> MIME-aware and doesn't look at the email but rather the files that are
> exploded in the working directory. The distinction here is that these
> html files you are fighting are likely attachments and not the html
> mime part of the email.
>
> You have a few options:
>
> 1) Block any html file that doesn't conform to msg-<id>.html in your
> filename rules:
>
> allow msg-.*\.html$ HTML part of email message HTML part of
> email message
>
> deny \.html$ HTML not part of email message HTML not part of
> email message
>
> 2) Use SpamAssassin to examine the mimeheaders and score appropriately
>
> mimeheader Content-Disposition =~ /attachment; filename=\".*\.html\"/
>
> describe HTML attachment, not safe!
>
> score 10.0
>
> On 9/26/22 04:28, mailscanner at barendse.to wrote:
>>
>>
>> On Thu, 28 Jul 2022, Shawn Iverson via MailScanner wrote:
>>
>>> It is happening during the mime parsing operation when the mime is
>>> split into text and html parts. It assigns a name msg-<id>.html to
>>> the html mime part.
>>
>>
>> Is there any way to avoid that, can we assign a different name, other
>> than .html ?
>>
>> The number of .html attachments with links to a partial virus payload
>> and that are slipping through undetected is increasing and it's
>> worrying. I have a pretty decent proxy/filter but.........
>>
>>
>>>
>>
>>
>
>
More information about the MailScanner
mailing list