You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/06/16 21:18:09 UTC

[Bug 3514] New: Regexp Problems on 2.63

http://bugzilla.spamassassin.org/show_bug.cgi?id=3514

           Summary: Regexp Problems on 2.63
           Product: Spamassassin
           Version: 2.63
          Platform: PC
        OS/Version: FreeBSD
            Status: NEW
          Severity: major
          Priority: P3
         Component: Rules (Eval Tests)
        AssignedTo: spamassassin-dev@incubator.apache.org
        ReportedBy: pardillaco@yahoo.com


Let's assume you're writing spam. If you add an \n character inside an 
HTML label, the regexp stops parsing there, so you can put anything you 
want below. 

I've seen this structure in HTML spam more than once, so I assume some 
spammer has learnt about it. 


Example: 

> uname -a
FreeBSD ... 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Wed Mar 17 12:03:04 PST 2004     

> spamassassin --version
SpamAssassin version 2.63

> cat user_prefs
body     LOCAL_BODY_SPAMMER_URI_COM2 /(mail15).com/i
describe LOCAL_BODY_SPAMMER_URI_COM2  Spam .com domain-name (2)
score    LOCAL_BODY_SPAMMER_URI_COM2  100.0

# this just looks for mail15.com


> cat spam
>From DrHerbertKirchner@yahoo.com Wed Jun 16 00:05:49 2004
Received: from 1.1.1.1 by 1.1.1.1 with ESMTP id 1;
  Wed, 16 Jun 2004 05:03:37 -0700
Message-ID: <ye...@Carolynpgrzpbygp.com>
From: "Carolyn" <Dr...@yahoo.com>
Date: Wed, 16 Jun 2004 08:05:49 +0100
To: a@a.a
Subject: Need a helping hand?
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=iso-8859-1

<HEAD>
<TITLE>Cia</TITLE>

</HEAD>

<BODY BACKGROUND="" BGcolor=

"#fce4e5" TEXT="#000000" LINK="#0000ff" VLINK="#800080" ALINK="#ff0000">

Loading Ad... Please Wait<br>
<p>
<CENTER><A href= 
"mail15.com">


</BODY>

</HTML>


> spamassassin -p user_prefs < spam
>From DrHerbertKirchner@yahoo.com Wed Jun 16 00:05:49 2004
...
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
  apu.bmrc.berkeley.edu
X-Spam-Level: *
X-Spam-Status: No, hits=1.8 required=5.0 tests=DATE_IN_PAST_03_06,
  FORGED_YAHOO_RCVD,HTML_70_80,HTML_MESSAGE,HTML_TAG_BALANCE_HTML,
  MIME_HTML_ONLY autolearn=no version=2.63
...



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.