On Wed, 31 Dec 2014 12:42:52 +0000 Paul Stead wrote: > > On 31/12/14 12:22, Martin Gregorie wrote: > > During last night I received a phishing message with a new (to me > > anyway) form of obfuscation which can only be used inside HTML body > > text using us-ascii encoding. The obfuscation was apparently aimed > > at SA and similar scanners because its not obvious to anybody > > reading the message: every 'o' (0x6f) in the text is replaced by > > ο > > > > I believe the following thread might answer some questions and offer a > few options. > > http://spamassassin.1065346.n5.nabble.com/More-text-plain-questions-td110060.html > > I believe the upcoming release should have the following new > functionality to help with this? > > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7068 > and > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7063
That's a different issue where the spammer encodes text into hexadecimal codes in a plain/text section; presumably relying on some broken client to display them. In this case the encoding is legitimate. It's just a variant on substituting 1 for l etc, but using lookalike unicode characters from other alphabets. It's not new, although I haven't seen it for a while. I don't think it's as useful a technique for spammers as some people think because such spams can be easily learned by statistical filters.
