You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Benny Pedersen <me...@junc.org> on 2008/05/06 21:48:29 UTC

IE Parse bug olso in SpamAssassin ?


-- html code --
<div class=3DSection1>

<p class=3DMsoNormal>Hi!<a href=3D"http://{MACCCLINK=3Dtestmaclink,3,http=
://67.228.184.50/links1.txt,www.easyaddedvivacecreation.com}/?srrjrrlt2qx=
fpm7DuzjjB82iEozsAEajsqbE">.</a><br>
Sick and tired of disaster in bed? Bright up now! Leave
monotonous experience behind! urgent rescue is is not far!
Flood of feelings is just a blink away! </p>

<p class=3DMsoNormal><a href=3D"http://{MACCCLINK=3Dtestmaclink,3,http://=
67.228.184.50/links1.txt,www.easyaddedvivacecreation.com}/?asdfdwrt2qxfpm=
7DuzjjB82iEozsAEajsqbE">Have a look at our site</a></p>

</div>

--end of html code --

urls is not detected :/(


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: IE Parse bug olso in SpamAssassin ?

Posted by Benny Pedersen <me...@junc.org>.

On Fri, May 9, 2008 15:42, Joseph Brennan wrote:

> You know about it being an IE parse bug, and that seems to be news to
> the rest of us. How'd you hear about it?

enabled spam_admin in amavisd-new and readed my logs :-)

one SARE hit on IE bug


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: IE Parse bug olso in SpamAssassin ?

Posted by Joseph Brennan <br...@columbia.edu>.

Benny Pedersen <me...@junc.org> wrote:

> i just started this thread to be sure IE parse bug is not in sa aswell
> since i could see domains not detecked in spam, but i got it now

You know about it being an IE parse bug, and that seems to be news to
the rest of us.  How'd you hear about it?

Joseph Brennan
Columbia University Information Technology

Re: IE Parse bug olso in SpamAssassin ?

Posted by John Hardin <jh...@impsec.org>.

On Thu, 8 May 2008, Benny Pedersen wrote:

> i just started this thread to be sure IE parse bug is not in sa aswell 
> since i could see domains not detecked in spam, but i got it now

Do you have a reference for discussion of this "IE Parsing bug" that led 
you to mention this oddball URI annotation format in the first place? 
There might be references in that to the definition of the format.

Thanks.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   USMC Rules of Gunfighting #9: Accuracy is relative: most combat
   shooting standards will be more dependent on "pucker factor" than
   the inherent accuracy of the gun.
-----------------------------------------------------------------------
  Today: the 63rd anniversary of VE day

Re: IE Parse bug olso in SpamAssassin ?

Posted by Benny Pedersen <me...@junc.org>.

On Thu, May 8, 2008 18:07, John Hardin wrote:

> Bayes isn't going to parse a URI as a URI anyway, is it?

i belived it did use that info olso

> It just tokenizes the message.

hopefully with url that confirm to rfc olso, but i see hte point where url is
obfu not to bother now when i think more about it

> Bayes will pick up the domain name string if it's delimited
> by {} as readily as it will if it's delimited by //.

yes got it now, i was just a bit blind on the hidded url in redir.html

> To clarify: why bother trying to deobfuscate the URI and figure out what
> domain it's really pointing at, so that domain can be checked against
> URIBL lists,

the hidded url could olso be a whitelisted domain

> if the form of the obfuscation is obvious and not seen in
> legitimate emails?

obfu is genricly a spam sign

> Why not just give that obfuscation four or five points
> and be done with it?

yep i will

> If that formatting *was* seen in legitimate emails, then I would say that
> it's important the URI parsers be aware of it.

yes, my fault not thinking that long here :/

> Can you provide any pointers to documentation of that formatting? I didn't
> find any in a quick gargle.

if i know what to search for i could :/

i just started this thread to be sure IE parse bug is not in sa aswell since i
could see domains not detecked in spam, but i got it now



Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: IE Parse bug olso in SpamAssassin ?

Posted by John Hardin <jh...@impsec.org>.

On Thu, 8 May 2008, Benny Pedersen wrote:

> On Thu, May 8, 2008 17:29, John Hardin wrote:
>
>> Why worry about where the URI is trying to point if it's so obviously
>> obfuscated?
>
> to get more data to bayes

Bayes isn't going to parse a URI as a URI anyway, is it? It just tokenizes 
the message. Bayes will pick up the domain name string if it's delimited 
by {} as readily as it will if it's delimited by //.

To clarify: why bother trying to deobfuscate the URI and figure out what 
domain it's really pointing at, so that domain can be checked against 
URIBL lists, if the form of the obfuscation is obvious and not seen in 
legitimate emails? Why not just give that obfuscation four or five points 
and be done with it?

If that formatting *was* seen in legitimate emails, then I would say that 
it's important the URI parsers be aware of it.

Can you provide any pointers to documentation of that formatting? I didn't 
find any in a quick gargle.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The real opiate of the masses isn't religion; it's the belief that
   somewhere there is a benefit that can be delivered without a
   corresponding cost.                       -- Tom of "Radio Free NJ"
-----------------------------------------------------------------------
  Today: the 63rd anniversary of VE day

Re: IE Parse bug olso in SpamAssassin ?

Posted by Benny Pedersen <me...@junc.org>.

On Thu, May 8, 2008 17:29, John Hardin wrote:

> Why worry about where the URI is trying to point if it's so obviously
> obfuscated?

to get more data to bayes


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: IE Parse bug olso in SpamAssassin ?

Posted by John Hardin <jh...@impsec.org>.

On Thu, 8 May 2008, Benny Pedersen wrote:

> On Thu, May 8, 2008 05:00, Joseph Brennan wrote:
>
>> Should we just call "http://{" bad, and not bother checking the uri?
>
> i belive there is parts in sa that parse the same way as ie and that 
> could be used by spammers to hide there domains in multilvel obfu

Why worry about where the URI is trying to point if it's so obviously 
obfuscated?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   News flash: Lowest Common Denominator down 50 points
-----------------------------------------------------------------------
  Today: the 63rd anniversary of VE day

Re: IE Parse bug olso in SpamAssassin ?

Posted by Benny Pedersen <me...@junc.org>.

On Thu, May 8, 2008 05:00, Joseph Brennan wrote:
>> <p class=3DMsoNormal><a href=3D"http://{MACCCLINK=3Dtestmaclink,3,http://=
>> 67.228.184.50/links1.txt,www.easyaddedvivacecreation.com}/?asdfdwrt2qxfpm=
>> 7DuzjjB82iEozsAEajsqbE">Have a look at our site</a></p>
> Do you have a reference for more on this?  Is this just obfuscation or
> does it do something bad besides?

unsure what here, but when i have sent the mail here it was detected when i
get it back, but not in the initial email i get it from, so i might be

> Should we just call "http://{" bad, and not bother checking the uri?

i belive there is parts in sa that parse the same way as ie and that could be
used by spammers to hide there domains in multilvel obfu

one excample is redir.html with nearly allways redirect to medical selling host

how can one make the

redirector_pattern in local.cf to make it test redirect in redir.html ?

if sare team and sa code team se there corpus i am shure thay can se something
from it, i have tryed to make a redirector_pattern but no succes :/



Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: IE Parse bug olso in SpamAssassin ?

Posted by Joseph Brennan <br...@columbia.edu>.

> <p class=3DMsoNormal><a href=3D"http://{MACCCLINK=3Dtestmaclink,3,http://=
> 67.228.184.50/links1.txt,www.easyaddedvivacecreation.com}/?asdfdwrt2qxfpm=
> 7DuzjjB82iEozsAEajsqbE">Have a look at our site</a></p>


Do you have a reference for more on this?  Is this just obfuscation or
does it do something bad besides?

Should we just call "http://{" bad, and not bother checking the uri?

Joseph Brennan
Columbia University Information Technology