[Mimedefang] Incredible spam obfuscation
Joseph Brennan
brennan at columbia.edu
Thu Feb 19 14:24:22 EST 2004
> Care to share your code for changing script to noscript?
Sure.
First, we decide that HTML is so evil that we need to open HTML body
parts and scan for patterns. Well, it is that evil. Right now we
look for iframe, script, and object, but we might do more later.
We store the rewritten version in a variable I have thoughtfully
named $bla. If we changed anything we set a variable called $badtag,
and if we did that, we have to write $bla back into the part and
do an action_rebuild(). We also put in an X-Warning header to note
the action, and we syslog it.
($badtag ends up holding the last kind of tag deactivated; if a
message actually has more than one of iframe, script, or object,
we only say the last one, but I let that go.)
sub filter ($$$$) {
# ...
# Check for bad code in HTML parts
if ($type eq "text/html") {
my($bla,$badtag);
if ($io = $entity->open("r")) {
while (defined($_ = $io->getline)) {
# note iframe, script, object
if (/<(iframe|script|object) /i) {
$badtag = $1;
$_ =~ s/<(iframe|script|object) /<no-$1 /ig;
}
$bla .= $_;
}
$io->close;
}
if ($badtag) {
if ($io = $entity->open("w")) {
$io->print($bla);
$io->close;
}
if ($badtag) { $badtag .= " tag deactivated"; }
md_graphdefang_log('modify',"$badtag");
action_change_header("X-Warning",
"$badtag by Columbia filter");
action_rebuild();
}
}
# ...
}
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
More information about the MIMEDefang
mailing list