[Mimedefang] Browser Bug: Very bad in IE and varies on Netscape and Mozilla
Jonas Eckerman
jonas_lists at frukt.org
Fri Dec 19 20:52:34 EST 2003
On Fri, 19 Dec 2003 17:12:39 -0500, Kevin A. McGrail wrote:
> # This rule is to mark emails using the exploit of the URI parsing
> uri KAM_URIPARSE /\%01\@/i
> describe KAM_URIPARSE Attempted use of URI bug. Very high
> probability of fraud. score KAM_URIPARSE 7.00
A small change:
uri KAM_URIPARSE /\%0[01]\@/i
%00 works just as well as %01 in some browsers.
I've actually never entered any rules in SpamAssassin, so the following question may be stupid:
Do you test simply for %01 followed by @ anywhere in the text, or do it check for that sequence inside URIs? To mee it looks like the rule will trigger for those fout characters even when not in a URI, wich might be too much.
As you showed, there may be more than one %00/%01 before the @. Actually, there can be almost anything between the %00/%01 and the @, so maybe it should be something like:
uri KAM_URIPARSE /[a-z]+\:\/\/\%0[01].*\@/
Also, unless I'm thinking badly tonight (it's about 3 am, so that's absolutely possible), the trick will only work in HTML coded mail. In a plain text mail, you will see the whole strange link. Is the test be limited to HTML mails?
Regards
/Jonas
--
Jonas Eckerman, jonas_lists at frukt.org
http://www.fsdb.org/
More information about the MIMEDefang
mailing list