[Mimedefang] Browser Bug: Very bad in IE and varies on Netscape and Mozilla

Jonas Eckerman jonas_lists at frukt.org
Fri Dec 19 20:52:34 EST 2003


On Fri, 19 Dec 2003 17:12:39 -0500, Kevin A. McGrail wrote:

>  # This rule is to mark emails using the exploit of the URI parsing
>  uri KAM_URIPARSE       /\%01\@/i
>  describe KAM_URIPARSE    Attempted use of URI bug.  Very high
>  probability of fraud. score KAM_URIPARSE     7.00

A small change:

uri KAM_URIPARSE       /\%0[01]\@/i

%00 works just as well as %01 in some browsers.

I've actually never entered any rules in SpamAssassin, so the following question may be stupid:
Do you test simply for %01 followed by @ anywhere in the text, or do it check for that sequence inside URIs? To mee it looks like the rule will trigger for those fout characters even when not in a URI, wich might be too much.

As you showed, there may be more than one %00/%01 before the @. Actually, there can be almost anything between the %00/%01 and the @, so maybe it should be something like:
uri KAM_URIPARSE       /[a-z]+\:\/\/\%0[01].*\@/

Also, unless I'm thinking badly tonight (it's about 3 am, so that's absolutely possible), the trick will only work in HTML coded mail. In a plain text mail, you will see the whole strange link. Is the test be limited to HTML mails?

Regards
/Jonas

-- 
Jonas Eckerman, jonas_lists at frukt.org
http://www.fsdb.org/




More information about the MIMEDefang mailing list