On Wed, 13 Dec 2017, Alex wrote:
We've been seeing a number of emails with subjects using UTF-8 in an
attempt to obscure the sender by using some form of 8-bit characters.
For example, this spells dropbox:
From: "=?utf-8?B?xJByb3Bib8+X?=" <abrinar.gue...@ecacolleges.com>
How would we write a header rule against that? Just use From:raw?
Is it possible to write a rule using the decoded characters, like
"dróp-bóx" or "Dṙopḇoẋ"?
I've also tried variations of "dropbox" such as "dr?pb?x" etc...
There are already obfuscated-text rules, and the subject is incorporated
in the body text so they would scan that.
Take a look at the existing FUZZY_* rules.
Possibly (untested):
body FUZZY_DROPBOX /<D>(?!ropbox)<R><O><P><B><O><X>/i
replace_rules FUZZY_DROPBOX
describe FUZZY_DROPBOX Obfuscated "dropbox"
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Activist: Someone who gets involved.
Unregistered Lobbyist: Someone who gets involved
with something the MSM doesn't approve of. -- WizardPC
-----------------------------------------------------------------------
Tomorrow: Bill of Rights day
