You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2008/03/22 19:27:15 UTC
Re: uri obfuscation
Arvid Ephraim Picciani writes:
> Hi,
> seems that spammers are leaving encoding characters in the urls to make SA
> unable to parse it. my mailprogram (kmail currently) displays those urls
> _without_ the leftovers.
> http://rafb.net/p/S95P6c12.html
> i suggest taking this kind of obfuscation as a sign for spam (ie it should be
> in the default ruleset)
works for me:
Content analysis details: (14.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[82.56.63.78 listed in zen.spamhaus.org]
0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[82.56.63.78 listed in dnsbl.sorbs.net]
0.0 T_RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
0.0 T_RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[82.56.63.78 listed in sbl-xbl.spamhaus.org]
2.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: oMUNGEDldbuild.cn]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: oMUNGEDldbuild.cn]
0.0 T_HS_INDEX_PARAM_3 URI: T_HS_INDEX_PARAM_3
0.0 T_HS_INDEX_PARAM_0 URI: T_HS_INDEX_PARAM_0
0.0 T_HS_INDEX_PARAM_1 URI: T_HS_INDEX_PARAM_1
0.0 HS_INDEX_PARAM URI: Link contains a common tracker pattern.
0.0 T_HS_INDEX_PARAM_5 URI: T_HS_INDEX_PARAM_5
0.0 T_HS_INDEX_PARAM_4 URI: T_HS_INDEX_PARAM_4
0.0 T_HS_INDEX_PARAM_2 URI: T_HS_INDEX_PARAM_2
0.0 HTML_MESSAGE BODY: HTML included in message
2.7 MISSING_MIME_HB_SEP BODY: Missing blank line between MIME header and
body
0.1 RDNS_DYNAMIC Delivered to trusted network by host with
dynamic-looking rDNS
0.0 T_URIBL_BLACK_OVERLAP T_URIBL_BLACK_OVERLAP
0.3 DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
1.2 AWL AWL: From: address is in the auto white-list
what is the URL you think it's missing?
--j.
Re: uri obfuscation
Posted by SM <sm...@resistor.net>.
At 11:37 22-03-2008, Arvid Ephraim Picciani wrote:
>een"><a href=3D"http://ec=xzpmi.oldbuild.cn/?175217540350"><b>Das b
>
>see the "="?
>imo it should be takes as spam sign. no sane person pasts such urls unless
>he/she intends to bypass url checks.
The sender's MUA formats and encodes the message. The URL may be
wrapper into two lines. At the receiver's end, the message is
"decoded" and rendered in the MUA to appear on one line. The above
URL would only bypass naive parsers that operate on the raw body.
Regards,
-sm
Re: uri obfuscation
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Saturday 22 March 2008 19:27:15 Justin Mason wrote:
> works for me:
> Content analysis details: (14.3 points, 5.0 required)
wow that was fast. 5 minutes ago it was in none of those lists. now i get 14.8
points too.
> what is the URL you think it's missing?
that one:
> Contains an URL listed in the JP SURBL blocklist [URIs: oMUNGEDldbuild.cn]
> 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> [URIs: oMUNGEDldbuild.cn]
becouse i get:
3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: oldbuild.cn]
anyway. even if it is not missing it, see in the mail there is a left "=" in
the uri:
een"><a href=3D"http://ec=xzpmi.oldbuild.cn/?175217540350"><b>Das b
see the "="?
imo it should be takes as spam sign. no sane person pasts such urls unless
he/she intends to bypass url checks.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
Re: uri obfuscation
Posted by mouss <mo...@netoyen.net>.
mouss wrote:
> Arvid Ephraim Picciani wrote:
>> On Saturday 22 March 2008 19:52:46 SM wrote:
>>
>>> He was referring to the URL that is wrapped into two lines with the
>>> quoted-printable encoding. It is parsed correctly.
>>>
>> so thats no error or invalid markup? ok well in this case... sorry
>> for the false alert.
>>
>>
>>
>
> you need to show the raw body. http://ec=xz... is invalid and results
> in an error when I click on. even with quoted printable, it is still
> invalid because '=' must be followed by hex characters (0-9a-fA-F).
oops. forget about it. I've just realized the url you posted contained
the message!
note that the message came from a "generic rdns" host and helo'ed with a
non fqdn hostname.
Re: uri obfuscation
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> you need to show the raw body. http://ec=xz... is invalid and results
> in an error when I click on. even with quoted printable, it is still
> invalid because '=' must be followed by hex characters (0-9a-fA-F).
Dude, see the OP. :) He did provide the full, raw message.
This very snippet is just a bad (later) paste, and perfectly explains
the wrong assumption about this being an invalid char inside the URL.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: uri obfuscation
Posted by mouss <mo...@netoyen.net>.
Arvid Ephraim Picciani wrote:
> On Saturday 22 March 2008 19:52:46 SM wrote:
>
>> He was referring to the URL that is wrapped into two lines with the
>> quoted-printable encoding. It is parsed correctly.
>>
> so thats no error or invalid markup? ok well in this case... sorry for the
> false alert.
>
>
>
you need to show the raw body. http://ec=xz... is invalid and results
in an error when I click on. even with quoted printable, it is still
invalid because '=' must be followed by hex characters (0-9a-fA-F).
Re: uri obfuscation
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Saturday 22 March 2008 19:52:46 SM wrote:
> He was referring to the URL that is wrapped into two lines with the
> quoted-printable encoding. It is parsed correctly.
so thats no error or invalid markup? ok well in this case... sorry for the
false alert.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
Re: uri obfuscation
Posted by SM <sm...@resistor.net>.
At 11:27 22-03-2008, Justin Mason wrote:
>what is the URL you think it's missing?
He was referring to the URL that is wrapped into two lines with the
quoted-printable encoding. It is parsed correctly.
Regards,
-sm