shtml attachment files ?

Shawn Iverson shawniverson at summitgrid.com
Mon Sep 26 11:18:15 UTC 2022


Got in a hurry...left off the rule name...

mimeheader    MYHTMLRULE    Content-Disposition =~ /attachment; 
filename=\".*\.html\"/
describe    MYHTMLRULE    HTML attachment, not safe!
score        MYHTMLRULE    10.0


On 9/26/22 07:11, Shawn Iverson via MailScanner wrote:
>
> No.  The code that does this isn't even MailScanner itself. It is 
> MIME::Parser when the Explode* methods are called.  Changing this 
> behavior would mean mostly likely rewriting that perl module.
>
> The problem you are running into is that the filename blocking is not 
> MIME-aware and doesn't look at the email but rather the files that are 
> exploded in the working directory.  The distinction here is that these 
> html files you are fighting are likely attachments and not the html 
> mime part of the email.
>
> You have a few options:
>
> 1) Block any html file that doesn't conform to msg-<id>.html in your 
> filename rules:
>
> allow    msg-.*\.html$    HTML part of email message    HTML part of 
> email message
>
> deny    \.html$    HTML not part of email message    HTML not part of 
> email message
>
> 2) Use SpamAssassin to examine the mimeheaders and score appropriately
>
> mimeheader    Content-Disposition =~ /attachment; filename=\".*\.html\"/
>
> describe    HTML attachment, not safe!
>
> score        10.0
>
> On 9/26/22 04:28, mailscanner at barendse.to wrote:
>>
>>
>> On Thu, 28 Jul 2022, Shawn Iverson via MailScanner wrote:
>>
>>> It is happening during the mime parsing operation when the mime is 
>>> split into text and html parts. It assigns a name msg-<id>.html to 
>>> the html mime part.
>>
>>
>> Is there any way to avoid that, can we assign a different name, other 
>> than .html ?
>>
>> The number of .html attachments with links to a partial virus payload 
>> and that are slipping through undetected is increasing and it's 
>> worrying. I have a pretty decent proxy/filter but.........
>>
>>
>>>
>>
>>
>
>


More information about the MailScanner mailing list