[Mimedefang] Considering an additional spam filter
Joseph Brennan
brennan at columbia.edu
Mon May 26 11:33:01 EDT 2003
> P<jkfdhjk>en<hjkdfhkj>is enl<asdfhjkldfas>argement
>
> It will not, because SpamAssassin's body check does not recognize the
> bogus HTML tags (even though most mail clients will render the message as
> the spammer intends).
The strategy of checking for obfuscation itself as a spam indicator
is good. Add to SA's tests with /etc/mail/spamassassin/local.cf.
It's already opening the mime part so you might as well do it there.
In the Oprah one, there are always some words with two tags in the
same word. That's unusual. The tags have no spaces. This test below
doesn't match any real mail in my sample of hundreds but test with care!
# New type III. This has bogus tags without ! in them, relying on html
# parsers to ignore unknown tags. Always within words and two within
# same word, like this: Cl<k30njyp1ly31x>ai<kze0cxs35dar>m
rawbody __OBFUSCATING3
/[A-Za-z]<[a-z0-9]{0,30}>[A-Za-z]{0,30}<[a-z0-9]{0,30}>[A-Za-z]/
meta OBFUSCATING3 OBFUSCATING3 && MIME_HTML_ONLY
describe OBFUSCATING3 HTML obfuscation (bad tags)
score OBFUSCATING3 3.8
I am sure the target will keep moving. Legit tags that do nothing
would be "better" in a fiendish way (change font color to what it
already is?).
Joseph Brennan postmaster at columbia.edu
Columbia University in the City of New York
More information about the MIMEDefang
mailing list