Hello,
The problem is with the MIME decode. It is fixed in the latest CVS I think.
If your policy prevents you from using CVS here is what I do, and I think these are
good generic rules to have anyhow.
body SWG_NO_SPACES_1 /[a-z]{30}/i
describe SWG_NO_SPACES_1 Very long word (30 letters), using hidden letters as spaces?
body SWG_NO_SPACES_2 /[a-z]{50}/i
describe SWG_NO_SPACES_2 Very long word (50 letters), using hidden letters as spaces?
body SWG_NO_SPACES_3 /[a-z]{70}/i
describe SWG_NO_SPACES_3 Very long word (70 letters), using hidden letters as spaces?
Score each as 1 say because they are culumative. Some caution is needed because any
base64 message which is not decoded is likely to trigger all three.
I suppose one copuld use /[a-z0-9]{50}/i specifically for the base64 but I haven't
tried this, it has not been necessary
NB + / etc should not be included IMHO to avoid false positives with arty sigs etc
NB The rules will trigger on base64 that is not decoded, and on decoded messages using
a variety of techniques to combat SA
I know a way around this (which I dont want to publicise:-)) ) but so far I have not
recieved any spam using the technique I thought of. Hopefully by the time I do I will
already have figured out a rule to deal with it.
Stuart Gall
Systems Administrator
-------------------------------------------------------------------------------------------------------------
Critical Error: REALITY.SYS Corrupted! Reboot universe? (y/n) [y]:
----- Original Message -----
From: "R.W." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 06, 2003 3:02 PM
Subject: [SAtalk] SA not catching spam obscured with character codes and tags
>
> I have an account at fastmail.fm, and SA, which was once very
> effective, is now passing a lot of spam with scores <3
>
> Virtually all of this spam has html text with the following
> characteristics:
>
> 1) it's obfuscated with a combination of both tags and character
> codes
> 2) it's base64 encoded
>
> This spam is full of obvious spam phrases which are not getting
> detected.
>
> What is the status of this problem in SA development?
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>
>
-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
