Some of legitimate mails here are being hit with rather high KAM_OCTET_PHISH=3
it seems to trigger when I have both text/html and application/octet-stream
MIME parts.
reduced/sanitized example at: https://pastebin.com/D4vqKnLC
It seems to be multi-rule meta, but all those sub-rules seem to check
for mostly the same two things to my untrained eye:
mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i
mimeheader __KAM_VM5 Content-Type =~ /.s?html?\.?\"?($|;)/i
mimeheader __KAM_OCTET_PHISH1 Content-Type =~ /application\/octet-stream/i
meta KAM_OCTET_PHISH ( __KAM_OCTET_PHISH1 + ( __KAM_VM5 + T_OBFU_HTML_ATTACH >= 1) >= 2 )
describe KAM_OCTET_PHISH HTML File with the wrong MIME Type
score KAM_OCTET_PHISH 3.0
That is on Debian Bullseye spamassassin 3.4.6-1 (with extra KAM rulesets).
Can someone shed a light what is happening here, and is it supposed
to be happening?
--
Opinions above are GNU-copylefted.
it seems to trigger when I have both text/html and application/octet-stream
MIME parts.
reduced/sanitized example at: https://pastebin.com/D4vqKnLC
It seems to be multi-rule meta, but all those sub-rules seem to check
for mostly the same two things to my untrained eye:
mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i
mimeheader __KAM_VM5 Content-Type =~ /.s?html?\.?\"?($|;)/i
mimeheader __KAM_OCTET_PHISH1 Content-Type =~ /application\/octet-stream/i
meta KAM_OCTET_PHISH ( __KAM_OCTET_PHISH1 + ( __KAM_VM5 + T_OBFU_HTML_ATTACH >= 1) >= 2 )
describe KAM_OCTET_PHISH HTML File with the wrong MIME Type
score KAM_OCTET_PHISH 3.0
That is on Debian Bullseye spamassassin 3.4.6-1 (with extra KAM rulesets).
Can someone shed a light what is happening here, and is it supposed
to be happening?
--
Opinions above are GNU-copylefted.