Re: [SAtalk] Not sure how...

[Chris Trudeau-Personal]

Chris,   thanks for the input...that makes sense...by the way...your response was caught based on these custom rules...so I guess they're working but as you indicated not against embedded mime...I've since enabled whitelist for the mailing list (should have done it a long time ago :)     So since I caught based on these headers: (score=4.6, required 6, BAYES_90 3.52, NO_REAL_NAME 1.15)   what are the chances a meta jacking the score up on this combination would work?  Any idea of falsepositive fallout? Guesses are fine...I'm just interested in input.   CT   ----- Original Message ----- From: Chris Santerre To: 'Chris Trudeau-Personal' ; [EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 9:00 AM Subject: RE: [SAtalk] Not sure how... This has been discussed. The rules will not hit because of the embedded mime code. They simply ignore past the first level. I'm hoping someone will write an eval for this. As far as I know, no version of SA handles this. So we really need a simple eval for it.   I'm still a believer that we need a generic counter eval. So that we can simply say, if something shows up this many times, add this many points. In this case it would be the boundary or content type lines.   This is why no one has been hitting on the pic.gif rule.   --Chris Santerre -----Original Message----- From: Chris Trudeau-Personal [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:19 AM To: [EMAIL PROTECTED] Subject: [SAtalk] Not sure how... This is a bit weird. I have the following rules in my local.cf: rawbody MY_PERCENT_OBFU /\%..\%..\%../i describe MY_PERCENT_OBFU Tries to OBFU link with % signs score MY_PERCENT_OBFU 1.55 rawbody MY_IMAGE_FILE  /.*name=.*\.(pic|gif|jpg)("|$)/ describe MY_IMAGE_FILE Includes an image file either embedded or otherwise score MY_IMAGE_FILE 1.5 meta MY_META1_TEST      (( MY_PERCENT_OBFU + MY_IMAGE_FILE ) > 1) describe MY_META1_TEST  combination of two signatures score   MY_META1_TEST   3.5 Specifically so I can catch these guys that are using the p-i-c dot g-i-f embedded image with obfuscated URL....and this got through last night <SNIP MESSAGE SOURCE> X-SpamCheck: not spam, SpamAssassin (score=4.6, required 6,  BAYES_90 3.52, NO_REAL_NAME 1.15) X-SpamScore: ssss Status: This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C27DD2.75377C90 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_002_0012_01C27DD2.75377C90" ------=_NextPart_002_0012_01C27DD2.75377C90 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0012_01C27DD2.75377C90" ------=_NextPart_001_0012_01C27DD2.75377C90 Content-Type: text/plain Content-Transfer-Encoding: 8bit I advise you ge DfY Ctrudeau ------=_NextPart_001_0012_01C27DD2.75377C90 Content-Type: text/html Content-Transfer-Encoding: 8bit <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Qx9lRx6v</title></head> <body bgcolor="#8F81C7" text="#496868"> <p><a href=""http://[EMAIL PROTECTED]:73%">http://[EMAIL PROTECTED]:%37%33% 30%31/%69%6E%64%2E%70%68%70"><img src="" width="185" height="306" border="0"></a> </p> <p><font color="#8F81C7">No thanks Ctrudeau ThT We've been cut off LUGHA</font></p> <p><a href=""http://[EMAIL PROTECTED]:73">http://[EMAIL PROTECTED]:%37%33 %30%31/%69%6E%64%2E%70%68%70?f2H2VekW"><img src="" width="37" height="8" border="0"></a></p> <p><font color="#8F81C3">UBoa What's new? G Ctrudeau without any TgFhK</font></p> </body> </html> ------=_NextPart_001_0012_01C27DD2.75377C90-- ------=_NextPart_002_0012_01C27DD2.75377C90 Content-Type: image/gif; name="pic.gif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="pic.gif" Content-ID: <pic.gif> </SNIP> How is it possible I missed this one?  Maybe I'm missing something. CT