Why even allow javascript embedded emails? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dallas L. Engelken Sent: Tuesday, January 13, 2004 4:42 PM To: [EMAIL PROTECTED] Subject: RE: [SAtalk] New HTML spam body obfuscation.
> -----Original Message----- > From: Brian Godette [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 13, 2004 2:16 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] New HTML spam body obfuscation. > > > This is a new one to me, seems the spammers are starting to learn > javascript now. I suppose a rule for detecting document.write() usage > could be used as a spam-sign. > > --- spam body --- > <script language="JavaScript"> > registry = new Array(182, > 179,76,60,26,233,201,167,222,59,117, > 232,106,241,81,111,6,134,45,149,103, > 231,156,105,230,19,77,124,175,202,229, > 163,215,249,10,52,208,197,65,254,42, > 113,176,234,225,193,200,32,244,191,149, i've seen this one as well... with 179[:comma:][:space:]76[:space:][:comma:] variations. how about this.... 8(enough?) consecutive 1 to 3 digit numbers seperated by any number of commas or spaces.... (because if they use anything else, their javascript will break). how about an eval, just so you dont false positive. document.write is pretty standard. body JAVASCRIPT_ENCODING_1 /\b(?:\d{1,3}[\s\,]+){8}/ describe JAVASCRIPT_ENCODING_1 Contains comma seperated ascii representations score 0.1 # you can score this by itself if you want. body JAVASCRIPT_ENCODING_2 /document\.write/i describe JAVASCRIPT_ENCODING_2 contains document.write score 0.1 meta JAVASCRIPT_ENCODING (JAVASCRIPT_ENCODING_1 && JAVASCRIPT_ENCODING_2) describe JAVASCRIPT_ENCODING Uses Javascript ascii encoding to hide text score 2.0 [EMAIL PROTECTED] masses]# perl myregextest.pl Found 179,76,60,26,233,201,167,222, -- continue at position 93 Found 232,106,241,81,111,6,134,45, -- continue at position 131 Found 231,156,105,230,19,77,124,175, -- continue at position 172 Found 163,215,249,10,52,208,197,65, -- continue at position 212 Found 113,176,234,225,193,200,32,244, -- continue at position 253 Found 227,87,156,1,175,190,126,168, -- continue at position 293 Found 239,214,154,101,212,187,84,119, -- continue at position 334 Found 31,203,80,155,26,192,236,115, -- continue at position 374 Found 148,105,199,160,238,216,180,51, -- continue at position 415 Found 134,247,238,198,42,66,103,238, -- continue at position 454 Found 196,16,81,196,94,174,53,2, -- continue at position 491 Found 84,180, 33,133,59,243,196,44, -- continue at position 520 Found 226,144,196,144,171,159,70,92, -- continue at position 567 Found 84,173,35,63,249,238,224,146, -- continue at position 607 Found 255,165,220,164,20,133,106,180, -- continue at position 648 Found 185,150,75,237,204,215,56,212, -- continue at position 688 Found 115,229,164,9,205,19,158,6, -- continue at position 725 Found 110,64,158,194,122,196,165,243, -- continue at position 767 Found 62,70,65,170,251,170,184,84, -- continue at position 806 Found 156,228,145,131,83,88,219,75, -- continue at position 844 Found 71,82,159,60,145,60,232,219, -- continue at position 882 Found 6,1,119,170,205,229,182,129, -- continue at position 921 Found 50,217,218,11,178,35,53,246, -- continue at position 959 Found 198,221,49,255,148,193,165,91, -- continue at position 1000 Found 204,203,115,242,223,93,254,129, -- continue at position 1042 Found 210,191,95,73,254,224,80,150, -- continue at position 1081 Found 75,208,199,89,119,191,151,39, -- continue at position 1119 Found 187,155,173,108,46,42,229,177, -- continue at position 1160 Found 138, 251,24,113,86,215,196,173, -- continue at position 1241 Found 169,46,207,92,101,58,235,72, -- continue at position 1283 Found 199,244,29,146,99,96,25,222, -- continue at position 1320 Found 213,234,219,120,81,182,183,36, -- continue at position 1361 Found 83,144,137,142,175,188,69,154, -- continue at position 1401 Found 193,102,167,84,253,242,67,192, -- continue at position 1442 Found 159,236,181,74,187,216,49,22, -- continue at position 1481 Found 109,162,51,240,105,238,143,28, -- continue at position 1522 Found 171,8,161,198,135,180,221,82, -- continue at position 1561 i didnt run against my corpus, just use at your own risk :) ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
