Typo, I meant to say I was on SA 3.4.6.
On Wed, Aug 30, 2023, 3:22 PM Ricky Boone wrote:
> Something I noticed on a set of emails that were reported to me.
>
> I have custom rules to look out for certain names in From:name. The
> messages should have been caught by them, however upon inspection
Something I noticed on a set of emails that were reported to me.
I have custom rules to look out for certain names in From:name. The
messages should have been caught by them, however upon inspection the
name was UTF-8 encoded, and included a character that doesn't seem to
render, but interferes w
On Thursday, February 10th, 2022 at 16:33, Kris Deugau
wrote:
> (Please keep mail on-list)
Oops, replied too quick without checking this. Sorry.
> > Out of curiosity, I've tested it with a replace_tag rule (//)
> > without luck. Shouldn't those UTF8 range be added to the ReplaceTags plugin?
>
(Please keep mail on-list)
Laurent S. wrote:
On Tuesday, February 8th, 2022 at 16:41, Kris Deugau wrote:
I have a longish list of rule groups similar to below for different
extended UTF8 ASCII-lookalike characters and words. Some are derived
from rules discussed on this list within the past y
ome extended UTF8 lookalike
that's... oo! in *italics*!
Naturally the spammers go to various amounts of effort to avoid the ones
that are clearly different.
Is there any way to detect this type of obfuscation with a spamassassin
rule?
I have a longish list of rule groups si
h the naked eye. You can
obfuscate text using this online tool: https://obfuscator.uo1.net/
Is there any way to detect this type of obfuscation with a spamassassin
rule?
Best regards,
Frido Otten
Good day Guys
Something I came across, and thought I would share / forward
https://gbhackers.com/hackers-using-new-obfuscation-mechanisms-to-evade-detection-of-phishing-campaign/
Hope this helps.
Regards
Brent
On 26 Jan 2019, at 23:43, Mark London wrote:
Does anyone have any rules that can catch this type of obfuscated
spam?
https://pastebin.com/qi8dsREW
Thanks. - Mark
I've been playing with a suite of rules around a concept that hits this
example for a while, but haven't gotten around to doing
On 27 Jan 2019, at 0:46, John Hardin wrote:
why would legitimate emails include invisible text?
Probably the same reason legitimate emails for an almost exclusively US
audience (from "America's Text Kitchen") contain "Zero Width
Non-Joiners" both in plain text parts as UTF-8 characters and a
On Sat, 26 Jan 2019, John Hardin wrote:
On Sat, 26 Jan 2019, Mark London wrote:
Does anyone have any rules that can catch this type of obfuscated spam?
https://pastebin.com/qi8dsREW
There's some "invisible font" subrules in my sandbox that this hits
(__STY_INVIS_MANY, __FONT_INVIS_MANY) bu
PLEASE UNSUBSCRIBE ME TO THESE EMAILS! I NEVER SIGNED UP FOR THIS AND I DONT
UNDERSTAND ANY OF THIS! PLEASE!
> On Jan 26, 2019, at 9:55 PM, Rupert Gallagher wrote:
>
> I would focus on the headers: they have plenty for a spam flag. On the body,
> SA should already mark the text/code ratio, and
I would focus on the headers: they have plenty for a spam flag. On the body, SA
should already mark the text/code ratio, and the number of links.
On Sun, Jan 27, 2019 at 05:43, Mark London wrote:
> Does anyone have any rules that can catch this type of obfuscated spam?
>
> https://pastebin.com/
On Sat, 26 Jan 2019, Mark London wrote:
Does anyone have any rules that can catch this type of obfuscated spam?
https://pastebin.com/qi8dsREW
There's some "invisible font" subrules in my sandbox that this hits
(__STY_INVIS_MANY, __FONT_INVIS_MANY) but scored versions aren't currently
expose
Does anyone have any rules that can catch this type of obfuscated spam?
https://pastebin.com/qi8dsREW
Thanks. - Mark
:
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.
https://pastebin.com/VURwmrrF
You say obfuscated, but it looked completely unreadable to me.
The text/plain part is garbage, but the text/html part renders to a
m
On Wed, 12 Dec 2018, Mark London wrote:
Sorry, try this one, which was sent a day later, which is readable.
https://pastebin.com/edit/5ASMFah
I just put it through the latest spamasssassin rules. I see that it's
hitting some of the new rules:
T_HTML_SHRT_CMNT_OBFU_MANY,T_MIXED_ES,UNICODE_O
On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote:
On 10 Dec 2018, at 14:13, RW wrote:
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.
On 11 Dec 2018, at 7:52, RW wrote:
On Mon, 10 Dec 2018 16:02:33 -0500
Bill Cole wrote:
On 10 Dec 2018, at 14:13, RW wrote:
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:
Hi - Here's another form of obfuscation spam. This time, not a
porn blackmail one. Almost the whole te
On Mon, 10 Dec 2018 16:02:33 -0500
Bill Cole wrote:
> On 10 Dec 2018, at 14:13, RW wrote:
>
> > On Mon, 10 Dec 2018 12:45:53 -0500
> > Mark London wrote:
> >
> >> Hi - Here's another form of obfuscation spam. This time, not a
> >> porn black
On 10 Dec 2018, at 14:13, RW wrote:
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.
https://pastebin.com/VURwmrrF
You say obfuscated, but it looked compl
On Mon, 10 Dec 2018, Mark London wrote:
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.
https://pastebin.com/VURwmrrF
__UNICODE_OBFU_ASC hits that pretty well, but the FP avoidance for the
scored version was
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:
> Hi - Here's another form of obfuscation spam. This time, not a porn
> blackmail one. Almost the whole text is obfuscated.
>
> https://pastebin.com/VURwmrrF
>
You say obfuscated, but it looked completely unreadable to me.
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.
https://pastebin.com/VURwmrrF
I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is
why the message got a high spam rating. By default though,
On Fri, 2015-01-02 at 06:18 -0600, Dave Pooser wrote:
> Wouldn't that have to be a rawbody rule?
>
Thanks, Dave. I thought I was probably missing something obvious and
that was it.
Martin
On 1/2/15 6:08 AM, "Martin Gregorie" wrote:
>The resulting
>regexes pass SA lint tests and match example spam when run as, for
>instance
>
>grep -P '\&\#959;'
>but don't generate hits when used in an SA body rule as:
>
>body MG_OBFUSCATION /\&\#959;/
Wouldn't that have to be a rawbody
On Fri, 2015-01-02 at 09:15 +0100, Joolee wrote:
> You can start with http://homoglyphs.net/?unicodepos=1 and the search term
> homoglyphs might get you even more extensive lists.
>
I realised that this was spam containing homoglyphs: a look at the
message showed it to be using an abnormal size an
ew (to me
>> anyway) form of obfuscation which can only be used inside HTML body text
>> using us-ascii encoding. The obfuscation was apparently aimed at SA and
>> similar scanners because its not obvious to anybody reading the message:
>> every 'o' (0x6f) in the text i
On 01/01/15 02:54, John Hardin wrote:
Is there such a list anywhere already that could be leveraged? I know we
were discussing unicode normalization of body text at one point, is
there anything there we could use?
I found
http://unicode.org/cldr/utility/confusables.jsp#data
http://www.irong
On Wed, 31 Dec 2014, Martin Gregorie wrote:
During last night I received a phishing message with a new (to me
anyway) form of obfuscation which can only be used inside HTML body text
using us-ascii encoding. The obfuscation was apparently aimed at SA and
similar scanners because its not obvious
On Wed, 31 Dec 2014 12:42:52 +
Paul Stead wrote:
>
> On 31/12/14 12:22, Martin Gregorie wrote:
> > During last night I received a phishing message with a new (to me
> > anyway) form of obfuscation which can only be used inside HTML body
> > text using us-ascii encod
On 31/12/14 12:22, Martin Gregorie wrote:
During last night I received a phishing message with a new (to me
anyway) form of obfuscation which can only be used inside HTML body text
using us-ascii encoding. The obfuscation was apparently aimed at SA and
similar scanners because its not obvious
During last night I received a phishing message with a new (to me
anyway) form of obfuscation which can only be used inside HTML body text
using us-ascii encoding. The obfuscation was apparently aimed at SA and
similar scanners because its not obvious to anybody reading the message:
every &#
On 09/11/2013 06:50 AM, Celene wrote:
I am getting a lot of spam with subjects that should be matched by SA,
but can't be because the spammer has added spaces in the subject.
Is there some way to match these?
Samples:
Ben dove rF ucke d
Exerc ise
Pov Athle te
Please post a couple of samples o
I am getting a lot of spam with subjects that should be matched by SA,
but can't be because the spammer has added spaces in the subject.
Is there some way to match these?
Samples:
Ben dove rF ucke d
Exerc ise
Pov Athle te
Thanks!
Celene
On Wed, 2012-06-13 at 03:04 +0200, Wolfgang Zeikat wrote:
> On 2012-06-12 20:52, Martin Gregorie wrote:
>
> > so its probably worth treating .gg
> > the same way as .cn and .ru, though for slightly different reasons.
>
> Unless you're in .cn, .ru or vicinity or have correspondence partners
> t
On 2012-06-12 20:52, Martin Gregorie wrote:
> so its probably worth treating .gg
> the same way as .cn and .ru, though for slightly different reasons.
Unless you're in .cn, .ru or vicinity or have correspondence partners
there, you may be right.
wolfgang
On Tue, 2012-06-12 at 18:47 +0100, Stephane Chazelas wrote:
> 2012-06-12 16:36:44 +0100, Martin Gregorie:
> > Today I got a piece of spam carrying the URL chasovik.it.gg as its
> > payload. I was intrigued because I didn't think .gg was a valid tld and
> > looked it up with 'whois'. Sure enough, no
2012-06-12 16:36:44 +0100, Martin Gregorie:
> Today I got a piece of spam carrying the URL chasovik.it.gg as its
> payload. I was intrigued because I didn't think .gg was a valid tld and
> looked it up with 'whois'. Sure enough, no match was found. However,
> 'host' resolved it as 80.190.202.40 and
On Tue, 2012-06-12 at 17:24 +0100, s...@yacc.co.uk wrote:
> .gg is Guernsey ... it's definitely there ... I can see it out the
> window :)
>
Thanks for that clarification. I wasn't as clear as I could have been.
The URL in the spam body was unknown to 'whois' but was resolved by
'host'. I've previ
> From: Martin Gregorie [mailto:mar...@gregorie.org]
> Sent: 12 June 2012 16:37
> To: Spamassassin users list
> Subject: Is this a new typoe of URI obfuscation?
>
> Today I got a piece of spam carrying the URL chasovik.it.gg as its
> payload. I was intrigued because I d
On 6/12/12 11:36 AM, Martin Gregorie wrote:
Today I got a piece of spam carrying the URL chasovik.it.gg as its
payload. I was intrigued because I didn't think .gg was a valid tld and
looked it up with 'whois'.
that just means that the tld provider is violating RFC's, no that the
tld is invalid:
On Tue, 12 Jun 2012 16:36:44 +0100
Martin Gregorie wrote:
> Today I got a piece of spam carrying the URL chasovik.it.gg as its
> payload. I was intrigued because I didn't think .gg was a valid tld
> and looked it up with 'whois'. Sure enough, no match was found.
.gg is a valid TLD: http://en.wik
okup on the IP
resolved to homepage-baukasten.de, which is known to 'whois'.
This is the first time I've seen this type of obfuscation. Has anybody
else seen it? If so is it at all common, and how can it be set up apart
from using some form of DNS poisoning exploit?
Martin
On Mon, 5 Oct 2009, Karsten Br�ckelmann wrote:
On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote:
On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote
Without checking -- I believe, all you need is a redirector_pattern for
the IP redirector, to extract the target URI. The list o
On Mon, 2009-10-05 at 11:21 -0700, John Hardin wrote:
> On Mon, 5 Oct 2009, Warren Togami wrote:
>
> > Did the old rule decode %2E%63%6E as .cn though?
>
> The URI parser does that for you:
>
> [11433] dbg: rules: ran uri rule ALL_URI ==> got hit:
> "http://fnord:b...@321%2e%63%6e";
> [114
On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote:
> On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote
> > Without checking -- I believe, all you need is a redirector_pattern for
> > the IP redirector, to extract the target URI. The list of URIs should
> > also contain a cleaned ve
On 10/05/2009 11:27 AM, John Hardin wrote:
Warren:
I guess that's an argument against anchoring CN_EIGHT at the beginning
of the URI...
I wasn't the one that suggested anchoring.
Did the old rule decode %2E%63%6E as .cn though?
Warren
On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote
Without checking -- I believe, all you need is a redirector_pattern for
the IP redirector, to extract the target URI. The list of URIs should
also contain a cleaned version of the extracted target URI, with the
escapes converted.
i hav
On man 05 okt 2009 17:06:19 CEST, Joseph Brennan wrote
Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
then %2E%63%6E for .cn
yahoo accept content to be on there ip ?
lets blcok that ip so
--
xpoint
On Mon, 2009-10-05 at 08:27 -0700, John Hardin wrote:
> I guess that's an argument against anchoring CN_EIGHT at the beginning of
> the URI...
No, it is not.
It's an argument for a new redirector_pattern. The extracted target URIs
are provided for uri rules.
Or alternatively, seriously kicking
On Mon, 5 Oct 2009, Joseph Brennan wrote:
From spam today:
href="http://66.196.80.202/babelfish/translate_url_content?.intl=us&lp=es_en&trurl=http://johnnie2006.mcafaloj%2E%63%6E";
style="text-decoration: none; color: #0099ff;">click here
Double obfuscati
On Mon, 2009-10-05 at 11:06 -0400, Joseph Brennan wrote:
> Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
> then %2E%63%6E for .cn
Without checking -- I believe, all you need is a redirector_pattern for
the IP redirector, to extract the target URI. The list o
From spam today:
href="http://66.196.80.202/babelfish/translate_url_content?.intl=us&lp=es_en&trurl=http://johnnie2006.mcafaloj%2E%63%6E";
style="text-decoration: none; color: #0099ff;">click here
Double obfuscation-- first the indirect through 66.196.80
Hi Karsten,
Am 2009-08-28 12:27:38, schrieb Karsten Bräckelmann:
> Which one do you refer to as "original"?
The Autoresponder I think, because your reply on 2009-08-28 03:34:23 was
the first I have gotten, so I assume, the message you have replyed to
was the OP.
> The original post is not spa
On Fri, 2009-08-28 at 12:10 +0200, Michelle Konzack wrote:
> Hallo Karsten,
>
> is your spamassassin in holliday?
>
> Here, spamassassin has catched the original
> message and I have never seen it..
Which one do you refer to as "original"?
The original post is not spam, and should not be caught
Hallo Karsten,
is your spamassassin in holliday?
Here, spamassassin has catched the original
message and I have never seen it..
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with
Irish Online Help Desk wrote:
>
> When I send a test message for my broadcast email I am receiving “0.6
> HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation” in
> the spam score. It is a pretty basic email message with a few
> hyperlinks and a numbered list. Can y
See, this is one of the reasons why I prefer NOT to moderate through
posts by non-subscribers.
I am *seriously* trying hard not to use any words that are inappropriate
for a public list. Funnily enough, I can't even begin to explain how I
feel about trying to help you and getting that bloody reply
Not subscribed. You are missing the on-list replies. Well, if any
useful, given that post...
On Wed, 2009-08-26 at 11:30 -0400, Irish Online Help Desk wrote:
> When I send a test message for my broadcast email I am receiving “0.6
> HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfus
On Wed 26 Aug 2009 05:30:31 PM CEST, Irish Online Help Desk wrote
When I send a test message for my broadcast email I am receiving "0.6
HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation" in the
spam score. It is a pretty basic email message with a few hyperlinks and
When I send a test message for my broadcast email I am receiving "0.6
HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation" in the
spam score. It is a pretty basic email message with a few hyperlinks and a
numbered list. Can you explain what may be causing this
Arvid Ephraim Picciani wrote:
Heya,
wondering if somone got a rule for those.
For me it's too low volume to care.
see attached mail.
The sender isn't on any BL yet (might be in a few hours) , but the URL is
already on uribl.com. SA doesn't detect the "obfuscation"
Heya,
wondering if somone got a rule for those.
For me it's too low volume to care.
see attached mail.
The sender isn't on any BL yet (might be in a few hours) , but the URL is
already on uribl.com. SA doesn't detect the "obfuscation" unfortunatly.
The bayes poison beg
On Mon, 16 Jun 2008, mouss wrote:
Chip M. wrote:
Just noticed a new (to me) Geocities obfuscation technique that uses
embedded relative path(s):
http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba
That breaks my own subsite extraction code. :(
"/.&
Chip M. wrote:
Just noticed a new (to me) Geocities obfuscation technique that uses
embedded relative path(s):
http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba
That breaks my own subsite extraction code. :(
The pedantic part of my brain wants to rewrite my
At 08:06 16-06-2008, Chip M. wrote:
Just noticed a new (to me) Geocities obfuscation technique that uses
embedded relative path(s):
http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba
That breaks my own subsite extraction code. :(
[snip]
Other than borked mailing
Just noticed a new (to me) Geocities obfuscation technique that uses
embedded relative path(s):
http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba
That breaks my own subsite extraction code. :(
The pedantic part of my brain wants to rewrite my code to
auto-adjust
On Sunday 23 March 2008 14:10:18 The Doctor wrote:
> Where should this be added?
to your custom rules.
i suggest editing local.cf and adding the following line:
include /etc/spamassassin/myrules
then make that directory and put your custom rules in it (one file is one
rule)
you can also put all ru
On Sat, Mar 22, 2008 at 09:26:39PM -0400, Joseph Brennan wrote:
>
>> thats a dynamic ip from telecomitalia. i'm getting lots of spam from
>> there but the ips are in no dynamic list. is there a more complete list
>> of dynamic hosts?
>
> We are currently doing this:
>
>
> # Telecomitalia. ISP wi
On Sunday 23 March 2008 02:26:39 Joseph Brennan wrote:
> > thats a dynamic ip from telecomitalia. i'm getting lots of spam from
> > there but the ips are in no dynamic list. is there a more complete list
> > of dynamic hosts?
>
> We are currently doing this:
http://sarah.ibcsolutions.de/~aep/sa/7
On Saturday 22 March 2008 21:31:13 Karsten Bräckelmann wrote:
> On Sat, 2008-03-22 at 19:31 +0100, Arvid Ephraim Picciani wrote:
> > > http://rafb.net/p/S95P6c12.html
>
> Yes, this is a spam alright. The Message-Id alone tells so. See my rule
> KB_RATWARE_MSGID in bug 5830 [1].
> [1] https://issues
thats a dynamic ip from telecomitalia. i'm getting lots of spam from
there but the ips are in no dynamic list. is there a more complete list
of dynamic hosts?
We are currently doing this:
# Telecomitalia. ISP with a big spam problem
# A rare exception found had a .it tld sender, so let's
mouss wrote:
Arvid Ephraim Picciani wrote:
On Saturday 22 March 2008 19:52:46 SM wrote:
He was referring to the URL that is wrapped into two lines with the
quoted-printable encoding. It is parsed correctly.
so thats no error or invalid markup? ok well in this case... sorry
for the fals
> you need to show the raw body. http://ec=xz... is invalid and results
> in an error when I click on. even with quoted printable, it is still
> invalid because '=' must be followed by hex characters (0-9a-fA-F).
Dude, see the OP. :) He did provide the full, raw message.
This very snippet is
On Sat, 2008-03-22 at 19:31 +0100, Arvid Ephraim Picciani wrote:
> > http://rafb.net/p/S95P6c12.html
Yes, this is a spam alright. The Message-Id alone tells so. See my rule
KB_RATWARE_MSGID in bug 5830 [1].
> second, i'd love to go and slap some ISPs a round a little for not even
> having
> an
Arvid Ephraim Picciani wrote:
On Saturday 22 March 2008 19:52:46 SM wrote:
He was referring to the URL that is wrapped into two lines with the
quoted-printable encoding. It is parsed correctly.
so thats no error or invalid markup? ok well in this case... sorry for the
false alert.
At 11:37 22-03-2008, Arvid Ephraim Picciani wrote:
een">http://ec=xzpmi.oldbuild.cn/?175217540350";>Das b
see the "="?
imo it should be takes as spam sign. no sane person pasts such urls unless
he/she intends to bypass url checks.
The sender's MUA formats and encodes the message. The URL may
On Saturday 22 March 2008 19:52:46 SM wrote:
> He was referring to the URL that is wrapped into two lines with the
> quoted-printable encoding. It is parsed correctly.
so thats no error or invalid markup? ok well in this case... sorry for the
false alert.
--
best regards/Mit freundlichen Grüße
At 11:27 22-03-2008, Justin Mason wrote:
what is the URL you think it's missing?
He was referring to the URL that is wrapped into two lines with the
quoted-printable encoding. It is parsed correctly.
Regards,
-sm
On Saturday 22 March 2008 19:27:15 Justin Mason wrote:
> works for me:
> Content analysis details: (14.3 points, 5.0 required)
wow that was fast. 5 minutes ago it was in none of those lists. now i get 14.8
points too.
> what is the URL you think it's missing?
that one:
> Contains an URL list
On Saturday 22 March 2008 19:10:03 Arvid Ephraim Picciani wrote:
> http://rafb.net/p/S95P6c12.html
i forgot two things:
thats a dynamic ip from telecomitalia. i'm getting lots of spam from there but
the ips are in no dynamic list. is there a more complete list of dynamic
hosts? i've seen sorbs d
Arvid Ephraim Picciani writes:
> Hi,
> seems that spammers are leaving encoding characters in the urls to make SA
> unable to parse it. my mailprogram (kmail currently) displays those urls
> _without_ the leftovers.
> http://rafb.net/p/S95P6c12.html
> i suggest taking this k
Hi,
seems that spammers are leaving encoding characters in the urls to make SA
unable to parse it. my mailprogram (kmail currently) displays those urls
_without_ the leftovers.
http://rafb.net/p/S95P6c12.html
i suggest taking this kind of obfuscation as a sign for spam (ie it should be
in the
Karsten Bräckelmann a écrit :
If you want to enforce a non-word char preceding this, the \W is fine.
However, the alternate anchor at the beginning of the string probably
will be rather useless. From the fine docs [1], body rule definitions:
"All HTML tags and line breaks will be removed befo
bodyWNG_OBFUVISTA/\Wista\b/i
would be my suggestion--I wouldn't worry too much about the exact
non-word character(s). The baddies might next do \ /ista, and the a
precise rule for \/ista wouldn't catch it.
--Paul
Samuel Krieg wrote:
Hi there,
I'm trying to create a rule to identify "\/
On Thu, 2008-02-28 at 15:02 +0100, Samuel Krieg wrote:
> Karsten Bräckelmann a écrit :
> > On Thu, 2008-02-28 at 14:26 +0100, Samuel Krieg wrote:
> >> I'm trying to create a rule to identify "\/ista" (with backslash + slash).
> >>
> >> This does not seem to work:
> >>
> >> body WNG_OBFUVISTA
Karsten Bräckelmann a écrit :
On Thu, 2008-02-28 at 14:26 +0100, Samuel Krieg wrote:
I'm trying to create a rule to identify "\/ista" (with backslash + slash).
This does not seem to work:
bodyWNG_OBFUVISTA /\b\\\/ista\b/i
The backslash is not a word chara
On Thu, 2008-02-28 at 14:26 +0100, Samuel Krieg wrote:
> I'm trying to create a rule to identify "\/ista" (with backslash + slash).
>
> This does not seem to work:
>
> body WNG_OBFUVISTA /\b\\\/ista\b/i
The backslash is not a word character. Thus, the \b word bo
Hi there,
I'm trying to create a rule to identify "\/ista" (with backslash + slash).
This does not seem to work:
bodyWNG_OBFUVISTA /\b\\\/ista\b/i
score WNG_OBFUVISTA 1
Any idea?
Thanks.
--
Samuel Krieg
remedy dependencies
{^_^}
On Fri, 17 Nov 2006, Jeff Chan wrote:
> It seems that the particular URI obfuscation in:
>
> http://www.surbl.org/evidence/seruikiontunhfasnde.com.txt
>
> successfully confuses SpamAssassin 3.1.6 into not detecting the
> SURBL blacklisted URI.
How about a rule that adds
> -Original Message-
> From: Matt Kettler [mailto:[EMAIL PROTECTED]
> Sent: Saturday, November 18, 2006 10:29 AM
> To: Michael Scheidell
> Cc: users@spamassassin.apache.org
> Subject: Re: URI obfuscation that confuses SA
>
>However, it's just doing a se
Michael Scheidell wrote:
> When I past that (with the munged) in it I get a nasa web site.
> (maybe google built into firefox finds the nasa site)
>
>
> http://8ZC*2/F3B.seruikiontuMUNGED.com/?LHN-+IA-
>
>
> Scarry crap.
>
> Hey nasa: is this even something you want public?
> I will send you link i
On Sat, November 18, 2006 14:45, Justin Mason wrote:
> http://8ZC*2/F3B.seruikiontuMUNGED.com/?LHN-+IA- >
> link
> Surely that doesn't work. certainly doesn't with any of my MUAs! anyone
> got a copy of Lookout or Outlook Express they can test with?
fedora core 6 x86_64 firefox 1.5.0.8 display
.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Saturday, November 18, 2006 8:46 AM
> To: Matt Kettler
> Cc: Jeff Chan; SpamAssassin Users
> Subject: Re: URI obfuscation that confuses SA
>
>
>
> Matt Kettler writes:
> > Jeff
Matt Kettler writes:
> Jeff Chan wrote:
> > It seems that the particular URI obfuscation in:
> >
> > http://www.surbl.org/evidence/seruikiontunhfasnde.com.txt
> >
> > successfully confuses SpamAssassin 3.1.6 into not detecting the
> > SURBL blacklisted UR
Jeff Chan wrote:
> It seems that the particular URI obfuscation in:
>
> http://www.surbl.org/evidence/seruikiontunhfasnde.com.txt
>
> successfully confuses SpamAssassin 3.1.6 into not detecting the
> SURBL blacklisted URI.
>
Does that even work as a link? Doesn't
I run most of the production SARE rulesets here-- which would those be
in? Or are those some adhoc rules posted to the list that I didn't
pick
up on? Just looking at where I might find the rules...
You're welcome to use mine (newly improved). All of these catch on
your sample:
body OBSF
hat I didn't pick
up on? Just looking at where I might find the rules...
Bret
> - Original Message -
> From: "Bret Miller" <[EMAIL PROTECTED]>
>
>
> I hadn't seen this type of obfuscation before, though I admit I don't
> watch the dropped
The SARE rules seem to catch that kind of thing rather neatly. In
particular these are caught by some of the anti-Leo rules that Loren
wrote.
{^_^}
- Original Message -
From: "Bret Miller" <[EMAIL PROTECTED]>
I hadn't seen this type of obfuscation before, though
1 - 100 of 144 matches
Mail list logo
