You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Karsten Bräckelmann <gu...@rudersport.de> on 2009/07/19 02:25:57 UTC
Generic URI de-obfuscation and re-writing Plugin
Anyone up for some *early* review, smoke-testing and commenting?
I don't feel like publishing the plugin just yet. Too many TODO items
left. Not yet run live, but tested quite extensively. The remaining
FIXMEs should be harmless. ;)
What I offer is a plugin, that is capable of de-obfuscating URIs for URI
DNSBL checks, and even re-writing path-style hosting to generic 3tld
variants suitable for URI DNSBL lookups. What I expect is merely peer
review, smoke-testing and comments within a couple days.
Hit me a note off-list. But please do strip the teaser. :)
Teaser generated with stuff found in very recent spam folders. Also have
seen DOB hits on these. (Obvious URI in the Report details stripped, to
make it through to the list.)
X-Spam-Report:
* 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* 2.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
Received: by delta.local (Postfix, from userid 500) id A7F901068B9;
Sun, 19 Jul 2009 01:50:00 +0200
From: Foo <fo...@example.net>
To: Foo <fo...@example.net>
Subject: URI de-obfuscation Teaser
Message-Id: <12...@monkey>
Date: Sun, 19 Jul 2009 01:50:00 +0200
www[dot]shop75[dot]net
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Generic URI de-obfuscation and re-writing Plugin
Posted by John Hardin <jh...@impsec.org>.
On Sun, 19 Jul 2009, Karsten Br�ckelmann wrote:
> Anyone up for some *early* review, smoke-testing and commenting?
Hit me, baby!
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79