[Mimedefang] Incredible spam obfuscation
Cormack, Ken
kcormack at acs.roadway.com
Fri Feb 20 14:33:18 EST 2004
> Cormack, Ken said:
> > This thing is really nice! In less than 10 minutes of run-time with
this
> > trap in place, it's already caught 10 messages. Thanks to Joe for
> > spotting
> > this and for working out (and posting) a solution, and to Paul for the
> > tweak. :)
> I like being explicit.
> Could you post the complete SA rule so I could ga run it through my
corpus?
> Then I can bugzilla file it on bugzilla.spamassassin.org.
sub filter ($$$$) {
# ...
# Check for bad code in HTML parts
if ($type eq "text/html") {
my($bla,$badtag);
if ($io = $entity->open("r")) {
while (defined($_ = $io->getline)) {
# note iframe, script, object
if ( /<(iframe|script|object)\b/i ) {
$badtag = $1;
s/<(iframe|script|object)\b/<no-$1/ig;
}
$bla .= $_;
}
$io->close;
}
if ($badtag) {
if ($io = $entity->open("w")) {
$io->print($bla);
$io->close;
}
if ($badtag) { $badtag .= " tag deactivated"; }
md_graphdefang_log('modify',"$badtag");
action_change_header("X-Warning",
"$badtag by Columbia filter");
action_rebuild();
}
}
# ...
}
More information about the MIMEDefang
mailing list