-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David B Funk writes: >On Mon, 12 Jan 2004, Larry Starr wrote: > >> Just noticed a message with an encoded URL, that misses, the "BIZ_TLD" rule, >> etc. >> >> The message body contains: >> <a href=3d"http://gf=2eclearmath=2ebiz/jsimp/index=2ehtml";><font >> face=3d"arial">scored </font>this way=2e >> <br><img src=3d"http://K=2eclearmath=2ebiz/images/js02=2ejpg"; border=3d= >> "0"> >> </a> >> >> I know this wraps a bit ugly, when pasted into my mailer but, as you can see, >> the punctuation, in the URI, is all hex encoded. "=2e", instead of ".". >> >> I have a local rule, in the form of bigevil.cf, with the following >> sub-expression, that catches the above, but there has got to be a simpler way >> to do this. >> >> uri uri MyEvilList_001 ( /\b(?:=2e){0,1}clearmath(?:\.|=2e)biz)\b\i >> >> Does anyone know of a ruleset that handles this sort of thing, perhaps code >> that decodes the "=xx" expressions prior to the "URI" matches? > >Actually that is a bastardized "quoted-printable" (QP) encoding of a URL. >In QP the character sequence '=2E' is an encoded period, that spam-tool >is generating '=2e' intending it to be interpreted as a period. > >SA is supposed to decode QP before running the various 'body' and 'uri' >rules but there's a limitation in its decoding engine. If the QP >encoding uses lower-case hex digits instead of CAPS hex digits, it >does not recognize them as QP and fails to decode them. > >Strictly speaking RFC-2045 demands the usage of CAPS hex digits in >QP (see section 6.7) and the lowercase stuff should be considered >illegal. >However many popular mail clients will decode the bastardized >lowercase version and display the message to the user as the >spammer intends (section 6.7, note (1) permits this). > >I can see two different ways to handle this, either make SA more >flexible and decode the bastardized QP so normal rules will hit >or write a rule that hits such bastardized QP coding as a spam-tool >signature. Are you sure about this? If it's the case, we do need to decode it, and it would be great to have it reported as a bug. - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Exmh CVS iD8DBQFABLQ7QTcbUG5Y7woRAuDDAKDFMaby+i43rPzYiMOkXTuzjmpVXgCcD0G0 BgL6yBaSrlsHTwoiRVGE45c= =sjgq -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
