Hi again, On Mon, Dec 29, 2003 at 01:41:17PM -0600, Chris Thielen wrote: > Stephane Lentz said: > > => Thanks for the info. Two samples of such spam are now available at > > http://milter.free.fr/spam/ (hilton-sample1.txt & hilton-sample2.txt > > files) > > Stephane, > > I glanced at the spamassassin source just now. I may be wrong, but it > appears that the URI tests only matches on attributes of "background", > "href", "src", "action". The URL in the spam was html text and not a link > of sorts. You may consider changing your rule to a BODY rule instead of a > URI rule.
=> The URI rule works in some cases (no splitting of base64 representation of the URL). I think I understand the problem better now after some further tests . Test messages : - Content-Transfer-Encoding: base64 - just include http://special-selections.com URL (base64 encoded) as body The problem is really related to base64 decoding & URI matching. The rule uri LOCAL_HILTON /special-selections\.com/ : - gets triggered if the base64 string (in the body) is in one line : aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5jb20K - does not match if the base64 string is splitted accross several lines aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5 jb20K or aHR0cDovL3NwZWNpYWwtc2VsZWN 0aW9ucy5jb20K Is it a new spammer trick (base64 body with URL base64 representation splitted across several lines) ? I guess the work-around is a rawbody rule (right ?) I got no success with a body rule. > > > > => Thanks for the link. i will check it out. I was willing to avoid the > > matching "Paris Hilton" if possible as I live in Paris and some of my > > colleagues may book some rooms in Hilton hotels (one never knows) .... > > I'm not quite sure how to interpret your statement about being "willing to > avoid the matching ..." so I will expclicitly state what the link does. I > understand you do not wish to match the unobfuscated paris hilton. The > rules generated by the link above will match *ONLY* obfuscated "paris > hilton". It will not match "Paris Hilton" or any case permutations such > as "PARIS hilton". It *will* match obfuscated versions such as "PAR1S > H1LTON" (and a couple other permutations). > > Another possible way to attack this is to look for obfuscated paris or > obfuscated hilton only (removing the quotes will generate 4 rules instead > of 2). See: http://sandgnat.com/cmos/cmos.jsp?words=paris+hilton . > > -- => Thanks for the clarifications. regards, SL/ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
