RE: [SAtalk] Not sure how...

Wed, 27 Aug 2003 13:36:51 +0000

This has been discussed. The rules will not hit because of the embedded mime code. They simply ignore past the first level. I'm hoping someone will write an eval for this. As far as I know, no version of SA handles this. So we really need a simple eval for it.
 
I'm still a believer that we need a generic counter eval. So that we can simply say, if something shows up this many times, add this many points. In this case it would be the boundary or content type lines.
 
This is why no one has been hitting on the pic.gif rule.
 
--Chris Santerre
-----Original Message-----
From: Chris Trudeau-Personal [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 27, 2003 7:19 AM
To: [EMAIL PROTECTED]
Subject: [SAtalk] Not sure how...

This is a bit weird.

I have the following rules in my local.cf:

rawbody MY_PERCENT_OBFU /\%..\%..\%../i
describe MY_PERCENT_OBFU Tries to OBFU link with % signs
score MY_PERCENT_OBFU 1.55

rawbody MY_IMAGE_FILE  /.*name=.*\.(pic|gif|jpg)("|$)/
describe MY_IMAGE_FILE Includes an image file either embedded or otherwise
score MY_IMAGE_FILE 1.5

meta MY_META1_TEST      (( MY_PERCENT_OBFU + MY_IMAGE_FILE ) > 1)
describe MY_META1_TEST  combination of two signatures
score   MY_META1_TEST   3.5

Specifically so I can catch these guys that are using the p-i-c dot g-i-f
embedded image with obfuscated URL....and this got through last night

<SNIP MESSAGE SOURCE>

X-SpamCheck: not spam, SpamAssassin (score=4.6, required 6,
 BAYES_90 3.52, NO_REAL_NAME 1.15)
X-SpamScore: ssss
Status:

This is a multi-part message in MIME format.

------=_NextPart_000_0012_01C27DD2.75377C90
Content-Type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_002_0012_01C27DD2.75377C90"


------=_NextPart_002_0012_01C27DD2.75377C90
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0012_01C27DD2.75377C90"

------=_NextPart_001_0012_01C27DD2.75377C90
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

I advise you ge DfY
Ctrudeau

------=_NextPart_001_0012_01C27DD2.75377C90
Content-Type: text/html
Content-Transfer-Encoding: 8bit

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Qx9lRx6v</title></head>

<body bgcolor="#8F81C7" text="#496868">
<p><a
href=""http://[EMAIL PROTECTED]:73%">http://[EMAIL PROTECTED]:%37%33%
30%31/%69%6E%64%2E%70%68%70"><img src="" width="185" height="306"
border="0"></a>
</p>
<p><font color="#8F81C7">No thanks Ctrudeau ThT We've been cut off
LUGHA</font></p>
<p><a
href=""http://[EMAIL PROTECTED]:73">http://[EMAIL PROTECTED]:%37%33
%30%31/%69%6E%64%2E%70%68%70?f2H2VekW"><img src="" width="37"
height="8" border="0"></a></p>
<p><font color="#8F81C3">UBoa What's new? G Ctrudeau without any
TgFhK</font></p>
</body>
</html>

------=_NextPart_001_0012_01C27DD2.75377C90--

------=_NextPart_002_0012_01C27DD2.75377C90
Content-Type: image/gif; name="pic.gif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="pic.gif"
Content-ID: <pic.gif>

</SNIP>

How is it possible I missed this one?  Maybe I'm missing something.

CT

Reply via email to