[Mimedefang] Incredible spam obfuscation

Cormack, Ken kcormack at acs.roadway.com
Fri Feb 20 14:33:18 EST 2004


> Cormack, Ken said:
> > This thing is really nice!  In less than 10 minutes of run-time with
this
> > trap in place, it's already caught 10 messages.  Thanks to Joe for
> > spotting
> > this and for working out (and posting) a solution, and to Paul for the
> > tweak.  :)

> I like being explicit.
> Could you post the complete SA rule so I could ga run it through my
corpus?
> Then I can bugzilla file it on bugzilla.spamassassin.org.

sub filter ($$$$) {
# ...

    # Check for bad code in HTML parts
    if ($type eq "text/html") {
        my($bla,$badtag);
        if ($io = $entity->open("r")) {
            while (defined($_ = $io->getline)) {
                # note iframe, script, object
                if ( /<(iframe|script|object)\b/i ) {
                    $badtag = $1;
                    s/<(iframe|script|object)\b/<no-$1/ig;
                }
                $bla .= $_;
            }
            $io->close;
        }
        if ($badtag) {
            if ($io = $entity->open("w")) {
                $io->print($bla);
                $io->close;
            }
            if ($badtag) { $badtag .= " tag deactivated"; }
            md_graphdefang_log('modify',"$badtag");
            action_change_header("X-Warning",
                                 "$badtag by Columbia filter");
            action_rebuild();
        }
    }

# ...
}



More information about the MIMEDefang mailing list