Re: Missing Content-Type on UPS Phish

From: Kevin A. McGrail <KMcGrail_at_nospam>
Date: Tue Aug 16 2011 - 10:47:42 GMT
To: John Hardin <jhardin@impsec.org>

> Apart from trusting the filename extension? Examining the first few
> bytes of the attachment for non-ASCII characters (excluding UTF
> encoding markers) is the only thing that springs to mind.
>
> File::Type perhaps? Or is that overkill?
>
File::Type wouldn't be overkill if Content Type is missing.

I also think if the Content Type is missing completely, wouldn't that be
a good rule? Any indicators that this happens with Ham?

Regards,
KAM

This message: [ Message body ]
Next message: John Hardin: "Re: Missing Content-Type on UPS Phish"
Previous message: Henrik Krohns: "Re: Missing Content-Type on UPS Phish"
In reply to: John Hardin: "Re: Missing Content-Type on UPS Phish"
Next in thread: John Hardin: "Re: Missing Content-Type on UPS Phish"
Reply: John Hardin: "Re: Missing Content-Type on UPS Phish"
Reply: Henrik Krohns: "Re: Missing Content-Type on UPS Phish"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]