You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Hardin <jh...@impsec.org> on 2009/10/05 20:21:00 UTC
Re: Babelfish obfuscation (fwd)
On Mon, 5 Oct 2009, Warren Togami wrote:
> Did the old rule decode %2E%63%6E as .cn though?
The URI parser does that for you:
[11433] dbg: rules: ran body rule ALL_BODY ======> got hit: "http://fnord:bleh@321%2E%63%6E"
[11433] dbg: rules: ran uri rule ALL_URI ======> got hit: "http://fnord:bleh@321%2E%63%6E"
[11433] dbg: rules: ran uri rule ALL_URI ======> got hit: "http://321.cn"
[11433] dbg: rules: ran uri rule ALL_URI ======> got hit: "http://fnord:bleh@321.cn"
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
Approximately 9188040 firearms legally purchased in the U.S. this year
Re: Babelfish obfuscation (fwd)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2009-10-05 at 11:21 -0700, John Hardin wrote:
> On Mon, 5 Oct 2009, Warren Togami wrote:
>
> > Did the old rule decode %2E%63%6E as .cn though?
>
> The URI parser does that for you:
>
> [11433] dbg: rules: ran uri rule ALL_URI ======> got hit: "http://fnord:bleh@321%2E%63%6E"
> [11433] dbg: rules: ran uri rule ALL_URI ======> got hit: "http://321.cn"
> [11433] dbg: rules: ran uri rule ALL_URI ======> got hit: "http://fnord:bleh@321.cn"
Didn't I say that? ;)
The list of URIs does contain cleaned and decoded versions, in addition
to the raw URI.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}