On 9/14/23 17:01, Pedro David Marco wrote:
The same happens with other HTML tags...<img src= can be replaced with <img xyz/src= virtually any char but >
do you have a spample to share (public or privately) ? Thanks Giovanni
so, with Giovanni permission, i tighten the nut 1 more turn (limiting to 100 chars to prevent Regex Self-DOS) rawbody BADHREF /<(a|img|video)[^>]{0,100}\/(src|href)\=/ Pete. On Thursday, September 14, 2023 at 04:37:15 PM GMT+2, <giova...@paclan.it> wrote: On 9/14/23 16:24, Bill Cole wrote: > On 2023-09-14 at 04:37:03 UTC-0400 (Thu, 14 Sep 2023 17:37:03 +0900) > Joe Wein via users <joew...@surbl.org <mailto:joew...@surbl.org>> > is rumored to have said: > >> I filed a bug for this issue on Bugzilla (#8186) but so far no response from developers. >> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8186 <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8186> > > FWIW, I've thought about it a bit... > >> We're seeing literally millions of phishing spams from Tencent VMs in Singapore targeting mostly Amazon Japan that are getting around SA checks because of this issue. > > Wow. I didn't expect that this was that big of a tactic. > >> I am wondering how many other users are seeing this problem which allows spammers to circumvent URI checks in links in spam (i.e. hide the payload sites). > > I don't see it, but the systems I manage have no reason to expect anything but criminal-grade spam from anything on a Tencent network in Singapore. Everyone gets their own bespoke spamstream I guess. > >> They do it by prefixing the href= attribute in an HTML <a href="..."> tag with letters and a slash, for example: >> >> <a h/href="https://some.phishing.site:>https://amazon.co.jp <https://amazon.co.jp></a> >> >> Both Chrome and mail clients like Mozilla Thunderbird discard that "h/" prefix (perhaps treating it as a separate unrecognizable attribute, like "<a h href="...") and display a clickable link to the payload site while SpamAssassin will not see the URI and therefore not it through any of the rules for URIs. >> >> This means even if the bad site is listed on domain RBLs (SURBL, Spamhaus or URIBL), the mail is not tagged for that. >> >> Joe Wein >> SURBL > > I'm thinking that the best approach may not be in trying to parse the bogus tag to glean a domain that may or may not be known to be bad, but rather to detect the general pattern, which is itself a direct indicator of bad intent. > rawbody BADHREF /\s+.\/href\=/ should be a start to write a rule to catch those spam messages. Giovanni
OpenPGP_signature
Description: OpenPGP digital signature