Bill> We may need expanded rules to handle obfuscation. The following
Bill> javascript decodes into another obfuscation javasscript. I didn't
Bill> have time to persue it further (what the sender is counting on i
Bill> suppose)...
Well, I wasted a couple minutes this morning translating it to Python and
executing it in an interpreter shell... ;-) When all is said and done it
expands to
<base href="http://images.adultplex.com/AP1/pgirl/";>
I don't know what triggers are set up for Javascript beyond what's in 2.20
but the presence of something.charCodeAt or String.fromCharCode seems like a
surefire sign of obfuscation. I'd suggest a rule something like:
rawbody OBFUSCATING_JAVASCRIPT /charCodeAt|fromCharCode/
describe OBFUSCATING_JAVASCRIPT JavaScript which tries to hide the message
--
Skip Montanaro
[EMAIL PROTECTED]
consulting: http://manatee.mojam.com/~skip/resume.html
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
