|
This is a bit
weird.
I have the following rules in my local.cf: rawbody MY_PERCENT_OBFU /\%..\%..\%../i describe MY_PERCENT_OBFU Tries to OBFU link with % signs score MY_PERCENT_OBFU 1.55 rawbody MY_IMAGE_FILE /.*name=.*\.(pic|gif|jpg)("|$)/ describe MY_IMAGE_FILE Includes an image file either embedded or otherwise score MY_IMAGE_FILE 1.5 meta MY_META1_TEST (( MY_PERCENT_OBFU + MY_IMAGE_FILE ) > 1) describe MY_META1_TEST combination of two signatures score MY_META1_TEST 3.5 Specifically so I can catch these guys that are using the p-i-c dot g-i-f embedded image with obfuscated URL....and this got through last night <SNIP MESSAGE SOURCE> X-SpamCheck: not spam, SpamAssassin (score=4.6, required 6, BAYES_90 3.52, NO_REAL_NAME 1.15) X-SpamScore: ssss Status: This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C27DD2.75377C90 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_002_0012_01C27DD2.75377C90" ------=_NextPart_002_0012_01C27DD2.75377C90 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0012_01C27DD2.75377C90" ------=_NextPart_001_0012_01C27DD2.75377C90 Content-Type: text/plain Content-Transfer-Encoding: 8bit I advise you ge DfY Ctrudeau ------=_NextPart_001_0012_01C27DD2.75377C90 Content-Type: text/html Content-Transfer-Encoding: 8bit <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Qx9lRx6v</title></head> <body bgcolor="#8F81C7" text="#496868"> <p><a href=""http://[EMAIL PROTECTED]:73%">http://[EMAIL PROTECTED]:%37%33% 30%31/%69%6E%64%2E%70%68%70"><img src="" width="185" height="306" border="0"></a> </p> <p><font color="#8F81C7">No thanks Ctrudeau ThT We've been cut off LUGHA</font></p> <p><a href=""http://[EMAIL PROTECTED]:73">http://[EMAIL PROTECTED]:%37%33 %30%31/%69%6E%64%2E%70%68%70?f2H2VekW"><img src="" width="37" height="8" border="0"></a></p> <p><font color="#8F81C3">UBoa What's new? G Ctrudeau without any TgFhK</font></p> </body> </html> ------=_NextPart_001_0012_01C27DD2.75377C90-- ------=_NextPart_002_0012_01C27DD2.75377C90 Content-Type: image/gif; name="pic.gif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="pic.gif" Content-ID: <pic.gif> </SNIP> How is it possible I missed this one? Maybe I'm missing something. CT |
- RE: [SAtalk] Not sure how... Chris Trudeau-Personal
- RE: [SAtalk] Not sure how... Chris Santerre
- Re: [SAtalk] Not sure how... Chris Trudeau-Personal
- RE: [SAtalk] Not sure how... Kai MacTane
- RE: [SAtalk] Not sure how... Larry Gilson
