[Mimedefang] Browser Bug: Very bad in IE and varies on Netscape	and Mozilla
    Jonas Eckerman 
    jonas_lists at frukt.org
       
    Fri Dec 19 20:52:34 EST 2003
    
    
  
On Fri, 19 Dec 2003 17:12:39 -0500, Kevin A. McGrail wrote:
>  # This rule is to mark emails using the exploit of the URI parsing
>  uri KAM_URIPARSE       /\%01\@/i
>  describe KAM_URIPARSE    Attempted use of URI bug.  Very high
>  probability of fraud. score KAM_URIPARSE     7.00
A small change:
uri KAM_URIPARSE       /\%0[01]\@/i
%00 works just as well as %01 in some browsers.
I've actually never entered any rules in SpamAssassin, so the following question may be stupid:
Do you test simply for %01 followed by @ anywhere in the text, or do it check for that sequence inside URIs? To mee it looks like the rule will trigger for those fout characters even when not in a URI, wich might be too much.
As you showed, there may be more than one %00/%01 before the @. Actually, there can be almost anything between the %00/%01 and the @, so maybe it should be something like:
uri KAM_URIPARSE       /[a-z]+\:\/\/\%0[01].*\@/
Also, unless I'm thinking badly tonight (it's about 3 am, so that's absolutely possible), the trick will only work in HTML coded mail. In a plain text mail, you will see the whole strange link. Is the test be limited to HTML mails?
Regards
/Jonas
-- 
Jonas Eckerman, jonas_lists at frukt.org
http://www.fsdb.org/
    
    
More information about the MIMEDefang
mailing list