Blocking 3D text content?

[killmasta93]

Hi,
i was wondering if someone else has accomplish blocking content which users fall easy which is the attachment that shows blur photo which is the 3D text HTML.
Im not sure on the regex how would i be able to block this content?

This is the code i found out in the email

<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">

the closest thing i found on the filter blocking was

image/x-3ds (3ds)

which is not the case
Thank you

This an email that came in

https://pastebin.com/d7Xf2YDP

 

[dcsapak]

that '3D' has nothing to do with the actual content, it is just an artifact of the encoding 'quoted-printable' [0]
in that case the character '=' is translated to '=3D'

this is done so that characters can be transmitted in email without causing any problems with encoding

so in you example:

<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1">

is really

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

so 'normal' html code


0: https://en.wikipedia.org/wiki/Quoted-printable

 

[killmasta93]

Thanks for the reply, so my question is how does one put that photo in an email making it look like a blur attachment? how would that be called?

 

[dcsapak]

X-SPAM-LEVEL: Spam detection results:  1
BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
FREEMAIL_ENVFROM_END_DIGIT   0.25 Envelope-from freemail username ends in digit (cobranzalatinoltda22[at]hotmail.com)
FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider (cobranzalatinoltda22[at]hotmail.com)
HTML_IMAGE_ONLY_16      1.092 HTML: images with 1200-1600 bytes of words
HTML_MESSAGE            0.001 HTML included in message
HTML_SHORT_LINK_IMG_2   0.001 HTML is very short with a linked image
MALFORMED_FREEMAIL      1.723 Bad headers on message from free email service
MISSING_HEADERS         1.021 Missing To: header
RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
SPF_PASS               -0.001 SPF: sender matches SPF record

ok according to the header, the e-mail would have had 3.8 spam points (which would have been quarantined by the default rule set) but due to bayes it got -1.9 points which resulted in 1.9

so i guess this is just a case where bayes hurts more than you gain from it

 

[killmasta93]

Thanks for the reply, correct even though i have the spam points to 5 but the email was a hotmail but the issue is the link of the photo how would one block those type of content?

 

[dcsapak]

e is the link of the photo how would one block those type of content?

well it is a normal inline image, you can block all mails with images, but i doubt you want to do that..

 

[killmasta93]

thanks for the reply, the question is how could i block imagines that contain the URL?

 

[hata_ph]

Have you try set up a content type filter to block/quarantine the email?

 

[killmasta93]

Thanks for the reply, i tried with content type filter but could not get it work i know im missing something just dont know what

 

[hata_ph]

Maybe you want to check out postfix's body_check or spamassassin's custom rules.

https://manpages.debian.org/testing/postfix/body_checks.5.en.html
https://www.linuxbabe.com/mail-server/block-email-spam-check-header-body-with-postfix-spamassassin

 

[killmasta93]

Thanks for the reply, but im not sure if all emails contain the 3D

/etc/postfix/body_checks:
    /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
        REJECT IFRAME vulnerability exploit