shtml attachment files ?

mailscanner at barendse.to mailscanner at barendse.to
Mon Sep 26 14:12:21 UTC 2022 

Thanks Shawn!

I made a typo somewhere and sa-compile didn't complete, during google 
search I found a similar post from someone trying to block .7z and 
copy/pasted the rules together, this is what I have now :

mimeheader NO_HTML_ATTACH01    Content-Disposition =~ 
/attachment; filename=\".*\.html\"/
describe   NO_HTML_ATTACH01    HTML attachment, not safe!
score      NO_HTML_ATTACH01    10.0

rawbody    NO_HTML_ATTACH02    /Content-Disposition: 
attachment; filename=.+.html/i
describe   NO_HTML_ATTACH02    email contains a html 
inline attachment
score      NO_HTML_ATTACH02    10.0

Hope this is correct, sadly I only have production servers to test/fiddle 
around with

Thanks again!

On Mon, 26 Sep 2022, Shawn Iverson via MailScanner wrote:

> Got in a hurry...left off the rule name...
>
> mimeheader    MYHTMLRULE    Content-Disposition =~ /attachment; 
> filename=\".*\.html\"/
> describe    MYHTMLRULE    HTML attachment, not safe!
> score        MYHTMLRULE    10.0
>
>
> On 9/26/22 07:11, Shawn Iverson via MailScanner wrote:
>>
>> No.  The code that does this isn't even MailScanner itself. It is 
>> MIME::Parser when the Explode* methods are called.  Changing this 
>> behavior would mean mostly likely rewriting that perl module.
>>
>> The problem you are running into is that the filename blocking is not 
>> MIME-aware and doesn't look at the email but rather the files that are 
>> exploded in the working directory.  The distinction here is that these 
>> html files you are fighting are likely attachments and not the html 
>> mime part of the email.
>>
>> You have a few options:
>>
>> 1) Block any html file that doesn't conform to msg-<id>.html in your 
>> filename rules:
>>
>> allow    msg-.*\.html$    HTML part of email message    HTML part of 
>> email message
>>
>> deny    \.html$    HTML not part of email message    HTML not part of 
>> email message
>>
>> 2) Use SpamAssassin to examine the mimeheaders and score appropriately
>>
>> mimeheader    Content-Disposition =~ /attachment; filename=\".*\.html\"/
>>
>> describe    HTML attachment, not safe!
>>
>> score        10.0
>>
>> On 9/26/22 04:28, mailscanner at barendse.to wrote:
>>>
>>>
>>> On Thu, 28 Jul 2022, Shawn Iverson via MailScanner wrote:
>>>
>>>> It is happening during the mime parsing operation when the mime is 
>>>> split into text and html parts. It assigns a name msg-<id>.html to 
>>>> the html mime part.
>>>
>>>
>>> Is there any way to avoid that, can we assign a different name, other 
>>> than .html ?
>>>
>>> The number of .html attachments with links to a partial virus payload 
>>> and that are slipping through undetected is increasing and it's 
>>> worrying. I have a pretty decent proxy/filter but.........
>>>
>>>
>>>>
>>>
>>>
>>
>>
>
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

More information about the MailScanner mailing list