You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/06/05 02:12:00 UTC

[Bug 4390] New: Catch some URL hide techniques found in recent spams.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390

           Summary: Catch some URL hide techniques found in recent spams.
           Product: Spamassassin
           Version: unspecified
          Platform: Other
               URL: http://antispam.imp.ch/patches/patch-url-obfuscation
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: spamassassin
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: mbr@freebsd.org


Problem: URLs in HTML mails are not found, they are stripped away. If a  
obfuscation technique is used, they got lost. Also URLs like http:
\\example.com\index.html are not found.  
  
Solution: Use the patch below. It used HTML::LinkExtor to extract all URLs in  
HTML mails. The other patch Bugzilla 4389 is needed too.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390


felicity@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From felicity@apache.org  2005-06-05 10:40 -------
I put in my own patch for this which is smaller, and also against 3.1 not 3.0. 
(the URI handling code is significantly different in 3.1...)  r180124



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390


mbr@freebsd.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #2924 is|0                           |1
           obsolete|                            |




------- Additional Comments From mbr@freebsd.org  2005-06-05 06:47 -------
Created an attachment (id=2925)
 --> (http://bugzilla.spamassassin.org/attachment.cgi?id=2925&action=view)
Catch url-obfuscation

Previous version had wrong logics, so correct that.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390





------- Additional Comments From lwilton@earthlink.net  2005-06-05 10:11 -------
Subject: Re:  Catch some URL hide techniques found in recent spams.

> However...  Those URIs in an href (<a href="...">test</a>) do not work
> at all.  When you do a mouse over on the "test" links, OE shows you a
> properly formatted URI (bad), but when you click on it, OE brings up IE,
> and passes the raw URI in, which IE has no idea what to do with.

Which is rather interesting.  I just pasted all of those into the address
bar in IE, and all of them worked.  So it isn't that IE doesn't uderstand
them (it does).  It is something about the passing method between OE and IE
that subverts that subversion.





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4390


wtogami@redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |ASSIGNED
  Status Whiteboard|                            |3 votes needed






------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390





------- Additional Comments From mbr@freebsd.org  2005-06-05 10:49 -------
>
> -1  We don't need yet another module dependency for something we already
> handle. :)
> 

btw ... there is no other dependeny. Why not use HTML::LinkExtor ? It
is part of HTML::Parser and we could dump some 'bloated' code in spamassassin
itself.

Martin



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4390


spamassassin@dostech.ca changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Status Whiteboard|3 votes needed              |1 vote needed




------- Additional Comments From spamassassin@dostech.ca  2005-11-09 03:53 -------
+1



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390


wtogami@redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |
   Target Milestone|Undefined                   |3.0.5




------- Additional Comments From wtogami@redhat.com  2005-09-10 16:38 -------
http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200506.mbox/%3c20050605173858.47468.qmail@minotaur.apache.org%3e
Targeting for 3.0.5 and testing in Fedora using the same minimal patch.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390





------- Additional Comments From felicity@apache.org  2005-06-04 20:15 -------
Subject: Re:   New: Catch some URL hide techniques found in recent spams.

On Sat, Jun 04, 2005 at 05:12:00PM -0700, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> Problem: URLs in HTML mails are not found, they are stripped away. If a  
> obfuscation technique is used, they got lost. Also URLs like http:
> \\example.com\index.html are not found.  

Do any MUAs actually allow that?  If so, yeah, we should deal with it.

> Solution: Use the patch below. It used HTML::LinkExtor to extract all URLs in  
> HTML mails. The other patch Bugzilla 4389 is needed too.

-1  We don't need yet another module dependency for something we already
handle. :)





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390





------- Additional Comments From lwilton@earthlink.net  2005-06-04 20:22 -------
Subject: Re:  Catch some URL hide techniques found in recent spams.

All MS tools will accept either forward or backslashes equivalently, so far
as I know.





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4390





------- Additional Comments From wtogami@redhat.com  2005-11-07 20:46 -------
Created an attachment (id=3234)
 --> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3234&action=view)
spamassassin-3.0.4-4390-backslash-uri-hiding.patch

Past month of testing has been fine.

3 votes needed



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4390





------- Additional Comments From jm@jmason.org  2005-11-08 23:57 -------
+1



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390





------- Additional Comments From shiva@sewingwitch.com  2005-06-05 02:01 -------
I was appalled to learn that IE will try a URL first with backslashes in the
path as given, then retry with them replaced by slashes if the original request
fails. I learned this while trying to figure out why Mozilla didn't work with a
company intranet website implemented with IIS and IE. Several of the internal
links had backslashes in them. Mozilla didn't perform the retry. (Ah, the joys
of merging your company with one not so clueful.)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390





------- Additional Comments From mbr@freebsd.org  2005-06-04 17:12 -------
Created an attachment (id=2924)
 --> (http://bugzilla.spamassassin.org/attachment.cgi?id=2924&action=view)
Patch and testcase.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4390


sidney@sidney.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED
  Status Whiteboard|1 vote needed               |




------- Additional Comments From sidney@sidney.com  2005-11-13 13:10 -------
+1
Committed revision 332969.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4390] Catch some URL hide techniques found in recent spams.

Posted by bu...@bugzilla.spamassassin.org.

http://bugzilla.spamassassin.org/show_bug.cgi?id=4390

------- Additional Comments From felicity@apache.org  2005-06-05 09:54 -------
Subject: Re:  Catch some URL hide techniques found in recent spams.

On Sat, Jun 04, 2005 at 08:22:07PM -0700, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> All MS tools will accept either forward or backslashes equivalently, so far
> as I know.

Did some testing...  Only had OE available at the moment.

In short, for URIs in the open, OE will treat "\" and "/" as equivilent, you
can even mix and match:

 http:\\people.apache.org\~felicity\
 http:\\people.apache.org\~felicity/
 http:\\people.apache.org/~felicity/
 http:/\people.apache.org/~felicity/
 http:\/people.apache.org/~felicity/

All of those work.  They work in both text/plain and text/html parts.
However...  Those URIs in an href (<a href="...">test</a>) do not work
at all.  When you do a mouse over on the "test" links, OE shows you a
properly formatted URI (bad), but when you click on it, OE brings up IE,
and passes the raw URI in, which IE has no idea what to do with.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.