> -----Original Message-----
> From: Brian Godette [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 13, 2004 2:16 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] New HTML spam body obfuscation.
>
>
> This is a new one to me, seems the spammers are starting to
> learn javascript
> now. I suppose a rule for detecting document.write() usage
> could be used as a
> spam-sign.
>
> --- spam body ---
> <script language="JavaScript">
> registry = new Array(182,
> 179,76,60,26,233,201,167,222,59,117,
> 232,106,241,81,111,6,134,45,149,103,
> 231,156,105,230,19,77,124,175,202,229,
> 163,215,249,10,52,208,197,65,254,42,
> 113,176,234,225,193,200,32,244,191,149,
i've seen this one as well... with
179[:comma:][:space:]76[:space:][:comma:] variations.
how about this.... 8(enough?) consecutive 1 to 3 digit numbers seperated
by any number of commas or spaces.... (because if they use anything
else, their javascript will break).
how about an eval, just so you dont false positive. document.write is
pretty standard.
body JAVASCRIPT_ENCODING_1 /\b(?:\d{1,3}[\s\,]+){8}/
describe JAVASCRIPT_ENCODING_1 Contains comma seperated ascii
representations
score 0.1 # you can score this by itself if you want.
body JAVASCRIPT_ENCODING_2 /document\.write/i
describe JAVASCRIPT_ENCODING_2 contains document.write
score 0.1
meta JAVASCRIPT_ENCODING (JAVASCRIPT_ENCODING_1 &&
JAVASCRIPT_ENCODING_2)
describe JAVASCRIPT_ENCODING Uses Javascript ascii encoding to hide text
score 2.0
[EMAIL PROTECTED] masses]# perl myregextest.pl
Found 179,76,60,26,233,201,167,222, -- continue at position 93
Found 232,106,241,81,111,6,134,45, -- continue at position 131
Found 231,156,105,230,19,77,124,175, -- continue at position 172
Found 163,215,249,10,52,208,197,65, -- continue at position 212
Found 113,176,234,225,193,200,32,244, -- continue at position 253
Found 227,87,156,1,175,190,126,168, -- continue at position 293
Found 239,214,154,101,212,187,84,119, -- continue at position 334
Found 31,203,80,155,26,192,236,115, -- continue at position 374
Found 148,105,199,160,238,216,180,51, -- continue at position 415
Found 134,247,238,198,42,66,103,238, -- continue at position 454
Found 196,16,81,196,94,174,53,2, -- continue at position 491
Found 84,180, 33,133,59,243,196,44, -- continue at position 520
Found 226,144,196,144,171,159,70,92, -- continue at position 567
Found 84,173,35,63,249,238,224,146, -- continue at position 607
Found 255,165,220,164,20,133,106,180, -- continue at position 648
Found 185,150,75,237,204,215,56,212, -- continue at position 688
Found 115,229,164,9,205,19,158,6, -- continue at position 725
Found 110,64,158,194,122,196,165,243, -- continue at position 767
Found 62,70,65,170,251,170,184,84, -- continue at position 806
Found 156,228,145,131,83,88,219,75, -- continue at position 844
Found 71,82,159,60,145,60,232,219, -- continue at position 882
Found 6,1,119,170,205,229,182,129, -- continue at position 921
Found 50,217,218,11,178,35,53,246, -- continue at position 959
Found 198,221,49,255,148,193,165,91, -- continue at position 1000
Found 204,203,115,242,223,93,254,129, -- continue at position 1042
Found 210,191,95,73,254,224,80,150, -- continue at position 1081
Found 75,208,199,89,119,191,151,39, -- continue at position 1119
Found 187,155,173,108,46,42,229,177, -- continue at position 1160
Found 138, 251,24,113,86,215,196,173, -- continue at position 1241
Found 169,46,207,92,101,58,235,72, -- continue at position 1283
Found 199,244,29,146,99,96,25,222, -- continue at position 1320
Found 213,234,219,120,81,182,183,36, -- continue at position 1361
Found 83,144,137,142,175,188,69,154, -- continue at position 1401
Found 193,102,167,84,253,242,67,192, -- continue at position 1442
Found 159,236,181,74,187,216,49,22, -- continue at position 1481
Found 109,162,51,240,105,238,143,28, -- continue at position 1522
Found 171,8,161,198,135,180,221,82, -- continue at position 1561
i didnt run against my corpus, just use at your own risk :)
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
