Re: A question on SMTP normalization

[Joel Esler <jesler () sourcefire com>]

On Nov 13, 2012, at 11:19 AM, "Lay, James" <james.lay () wincofoods com> wrote:

> Hey all,
>  
> Most of the time email sigs fire normally.  Occasionally I get one that slips through, and I’m guessing it’s due to 
> the content type:
>  
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/html; charset=3Dwindows-1252
> Rules that look for say the below fail:
>  
> he link to this secure message will expire in 24 hours. If you would  li=
> ke to save a copy of the email or attachment, please save from the  opene=
> d encrypted email. If an attachment is included, you will be given  the o=
> ption to download a copy of the attachment  to your computer.<br />
> <br />
> To view your secure message, <a href=3D"hxxp://a3australia.com/zcRDxLj/in=
> dex.html" target=3D"_blank"> click here</a>.
>  
> Is there a way to…”normalize” this type of encoding?  Thanks all.

Do you have a pcap with this behavior?  I have a couple thoughts here, and I want to check on some things.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!