Stephane Lentz said:
> => Thanks for the info. Two samples of such spam are now available at
> http://milter.free.fr/spam/ (hilton-sample1.txt & hilton-sample2.txt
> files)
Stephane,
I glanced at the spamassassin source just now. I may be wrong, but it
appears that the URI tests only matches on attributes of "background",
"href", "src", "action". The URL in the spam was html text and not a link
of sorts. You may consider changing your rule to a BODY rule instead of a
URI rule.
>
> I did some tests with SA 2.61 : these messages trigger the
> HTML_MIME_NO_HTML_TAG test.
For your reference, here is what my installation (2.61) reported for the
first example (ignore the date_in_future):
1.8 LOCAL_OBFU_ONLY_SX BODY: Obfuscated 'sex' in body
1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100
[cf: 100]
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9971]
0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.6 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset
1.0 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding
1.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.9 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
3.3 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[211.148.196.239 listed in dnsbl.sorbs.net]
1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
>
>> Also, another way to attack this is to look for "paris hilton". Try the
>> rules generated here:
>> http://sandgnat.com/cmos/cmos.jsp?words=%22paris+hilton%22
>
> => Thanks for the link. i will check it out. I was willing to avoid the
> matching "Paris Hilton" if possible as I live in Paris and some of my
> colleagues may book some rooms in Hilton hotels (one never knows) ....
I'm not quite sure how to interpret your statement about being "willing to
avoid the matching ..." so I will expclicitly state what the link does. I
understand you do not wish to match the unobfuscated paris hilton. The
rules generated by the link above will match *ONLY* obfuscated "paris
hilton". It will not match "Paris Hilton" or any case permutations such
as "PARIS hilton". It *will* match obfuscated versions such as "PAR1S
H1LTON" (and a couple other permutations).
Another possible way to attack this is to look for obfuscated paris or
obfuscated hilton only (removing the quotes will generate 4 rules instead
of 2). See: http://sandgnat.com/cmos/cmos.jsp?words=paris+hilton .
--
Chris Thielen
Easily generate SpamAssassin rules to catch obfuscated spam phrases:
http://www.sandgnat.com/cmos/
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
