I offer this in UNTESTED form. TEsting overnight ;) Your email viewer will wrap these lines. SHould be 3 lines:
rawbody hilton_b64 /(?:aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(?:khl|jxr)|aGV5DQoNCk NvbWUgY2hlY2sgb3V0)/ describe hilton_b64 Base 64 encoded paris hilton spam score hilton_b64 .01 > -----Original Message----- > From: Stephane Lentz [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 5:14 PM > To: Chris Thielen > Cc: [EMAIL PROTECTED] > Subject: Re: [SAtalk] Rule to block Paris Hilton spam > > > Hi again, > > On Mon, Dec 29, 2003 at 01:41:17PM -0600, Chris Thielen wrote: > > Stephane Lentz said: > > > => Thanks for the info. Two samples of such spam are now > available at > > > http://milter.free.fr/spam/ (hilton-sample1.txt & > hilton-sample2.txt > > > files) > > > > Stephane, > > > > I glanced at the spamassassin source just now. I may be > wrong, but it > > appears that the URI tests only matches on attributes of > "background", > > "href", "src", "action". The URL in the spam was html text > and not a link > > of sorts. You may consider changing your rule to a BODY > rule instead of a > > URI rule. > > => The URI rule works in some cases (no splitting of base64 > representation > of the URL). > I think I understand the problem better now after some further tests . > Test messages : > - Content-Transfer-Encoding: base64 > - just include http://special-selections.com URL (base64 > encoded) as body > > The problem is really related to base64 decoding & URI matching. > > The rule uri LOCAL_HILTON /special-selections\.com/ : > > - gets triggered if the base64 string (in the body) is in one line : > aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5jb20K > - does not match if the base64 string is splitted accross several > lines > aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5 > jb20K > > or > > aHR0cDovL3NwZWNpYWwtc2VsZWN > 0aW9ucy5jb20K > > Is it a new spammer trick (base64 body with URL base64 representation > splitted across several lines) ? > I guess the work-around is a rawbody rule (right ?) > I got no success with a body rule. > > > > > > > => Thanks for the link. i will check it out. I was > willing to avoid the > > > matching "Paris Hilton" if possible as I live in Paris > and some of my > > > colleagues may book some rooms in Hilton hotels (one > never knows) .... > > > > I'm not quite sure how to interpret your statement about > being "willing to > > avoid the matching ..." so I will expclicitly state what > the link does. I > > understand you do not wish to match the unobfuscated paris > hilton. The > > rules generated by the link above will match *ONLY* > obfuscated "paris > > hilton". It will not match "Paris Hilton" or any case > permutations such > > as "PARIS hilton". It *will* match obfuscated versions > such as "PAR1S > > H1LTON" (and a couple other permutations). > > > > Another possible way to attack this is to look for > obfuscated paris or > > obfuscated hilton only (removing the quotes will generate 4 > rules instead > > of 2). See: http://sandgnat.com/cmos/cmos.jsp?words=paris+hilton . > > > > -- > => Thanks for the clarifications. > > regards, > > SL/ > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign > up for IBM's > Free Linux Tutorials. Learn everything from the bash shell > to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
