On 19 Sep 2010, John Hardin wrote:
>> Adding to my sandbox for masscheck:
>>
>> rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
>
>It performs pretty well. It should be in the next rules update, under a
>slightly different name (OBFU_JVSCR_ESC).
Shiny!
How about combining/meta-ing that with a simple Base64 HTML rule?
I vaguely recall you may already have one (Base64 rule, not (yet) a
meta).
Based on my ham data, that pairing seems extraordinarily rare.
I just checked all 2010 data for my most diverse domain (three
generations of an extended family, with a superb mix of business
plus personal ham), and found only 58 (out of 66,795) hams with
Base64 HTML.
Of those, ZERO hit any of my anti-script tests, however 49 of them
did have an existing non-trivial pass rule that skips some of those
anti-script tests (in other words, those were already well known
(to us) for their poor mailing hygiene).
I just dumped the Content Type summary lines for all 58, and if
you're interested, John, I can email them as a zip. Just eyeballing
them, there appears to be some interesting differences in the
filename distribution vs this spam campaign.
I checked a similar quantity of data for a pure business domain, and
found ZERO occurrences of Base64 HTML.
As is often the case, choosing tests and scores depends on one's ham
ecology.
>Today: Talk Like a Pirate day
... and Today: Talk Like a Browncoat Day
i.e. the 8th anniversary of the TV broadcast debut of Firefly. :)
Keep flyin',
- "Chip"
