SA does not detect some URIs ?

[Nestor Burma <go...@yahoo.fr>]

Hello,

We just got some "obvious" spam going through SA. This
mail does include a not-quite obfuscated URL, which is


----------
L0we$t rate found right here:       
HTTP://WWW.cra3ybiz.com/st.asp
----------

Strange thing is that no URIBL rules are triggered.
But if we change HTTP to http, or WWW to www (or
both), those rules are properly triggered.

Since we are not (yet) SA-rules hackers, where should
we look to upgrade locally our rules to detect this
simple scheme ?

Tia,

NB


	

	
		
__________________________________________________________________
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/

Re: SA does not detect some URIs ?

[Kevin Peuhkurinen <ke...@meridiancu.ca>]

Nestor Burma wrote:

>Strange thing is that no URIBL rules are triggered.
>But if we change HTTP to http, or WWW to www (or
>both), those rules are properly triggered.
>
>Since we are not (yet) SA-rules hackers, where should
>we look to upgrade locally our rules to detect this
>simple scheme ?
>
>  
>
Look in the recent archives for a thread with the subject "New(?) URL 
obfuscation technique".   There are some rules in there that should help 
you.

Re: SA does not detect some URIs ?

[Matt Kettler <mk...@evi-inc.com>]

Nestor Burma wrote:

>Hello,
>
>We just got some "obvious" spam going through SA. This
>mail does include a not-quite obfuscated URL, which is
>
>
>----------
>Strange thing is that no URIBL rules are triggered.
>But if we change HTTP to http, or WWW to www (or
>both), those rules are properly triggered.
>

See the bugzilla bug on this issue, there's a patch in it:

http://bugzilla.spamassassin.org/show_bug.cgi?id=4111