On Mon, 20 Sep 2010, Chip M. wrote:
On 19 Sep 2010, John Hardin wrote:
Adding to my sandbox for masscheck:
rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
It performs pretty well. It should be in the next rules update, under a
slightly different name (OBFU_JVSCR_ESC).
Shiny!
How about combining/meta-ing that with a simple Base64 HTML rule?
I vaguely recall you may already have one (Base64 rule, not (yet) a
meta).
Based on my ham data, that pairing seems extraordinarily rare.
I'll review the masscheck results for overlap, but in the masscheck
corpora OBFU_JVSCR_ESC is hitting zero ham.
I just dumped the Content Type summary lines for all 58, and if
you're interested, John, I can email them as a zip. Just eyeballing
them, there appears to be some interesting differences in the
filename distribution vs this spam campaign.
Sure, send it along. No guarantees I'll do anything with it, though...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The Constitution is a written instrument. As such its meaning does
not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
-----------------------------------------------------------------------
88 days until TRON Legacy
