You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Chip M." <sa...@IowaHoneypot.com> on 2010/09/20 09:42:07 UTC
Re: Yahoo HTML Base64 Attachments
On 19 Sep 2010, John Hardin wrote:
>> Adding to my sandbox for masscheck:
>>
>> rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
>
>It performs pretty well. It should be in the next rules update, under a
>slightly different name (OBFU_JVSCR_ESC).
Shiny!
How about combining/meta-ing that with a simple Base64 HTML rule?
I vaguely recall you may already have one (Base64 rule, not (yet) a
meta).
Based on my ham data, that pairing seems extraordinarily rare.
I just checked all 2010 data for my most diverse domain (three
generations of an extended family, with a superb mix of business
plus personal ham), and found only 58 (out of 66,795) hams with
Base64 HTML.
Of those, ZERO hit any of my anti-script tests, however 49 of them
did have an existing non-trivial pass rule that skips some of those
anti-script tests (in other words, those were already well known
(to us) for their poor mailing hygiene).
I just dumped the Content Type summary lines for all 58, and if
you're interested, John, I can email them as a zip. Just eyeballing
them, there appears to be some interesting differences in the
filename distribution vs this spam campaign.
I checked a similar quantity of data for a pure business domain, and
found ZERO occurrences of Base64 HTML.
As is often the case, choosing tests and scores depends on one's ham
ecology.
>Today: Talk Like a Pirate day
... and Today: Talk Like a Browncoat Day
i.e. the 8th anniversary of the TV broadcast debut of Firefly. :)
Keep flyin',
- "Chip"
Re: Yahoo HTML Base64 Attachments
Posted by John Hardin <jh...@impsec.org>.
On Mon, 20 Sep 2010, Chip M. wrote:
> On 19 Sep 2010, John Hardin wrote:
>>> Adding to my sandbox for masscheck:
>>>
>>> rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
>>
>> It performs pretty well. It should be in the next rules update, under a
>> slightly different name (OBFU_JVSCR_ESC).
>
> Shiny!
>
> How about combining/meta-ing that with a simple Base64 HTML rule?
> I vaguely recall you may already have one (Base64 rule, not (yet) a
> meta).
>
> Based on my ham data, that pairing seems extraordinarily rare.
I'll review the masscheck results for overlap, but in the masscheck
corpora OBFU_JVSCR_ESC is hitting zero ham.
> I just dumped the Content Type summary lines for all 58, and if
> you're interested, John, I can email them as a zip. Just eyeballing
> them, there appears to be some interesting differences in the
> filename distribution vs this spam campaign.
Sure, send it along. No guarantees I'll do anything with it, though...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The Constitution is a written instrument. As such its meaning does
not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
-----------------------------------------------------------------------
88 days until TRON Legacy