You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Loren Wilton <lw...@earthlink.net> on 2021/09/13 00:13:04 UTC

An interesting bit of HTML from a spam

I found this little wonder in a bunch of spams I've been getting for the 
last few days:

<a amzon-work to=http://" http://" http://" http://" http://" http://" 
href="http:/mi.wey.vandalized655bccemetries.cleaning/<tracking 
id>">unsubscribe here</a>

I have no idea if that actually works, since I'm not about to try it.

        Loren



---
This email has been checked for viruses by AVG.
https://www.avg.com

Re: An interesting bit of HTML from a spam

Posted by Henrik K <he...@hege.li>.

On Sun, Sep 12, 2021 at 08:34:28PM -0500, Dave Funk wrote:
> On Sun, 12 Sep 2021, Loren Wilton wrote:
> 
> > I found this little wonder in a bunch of spams I've been getting for the
> > last few days:
> > 
> > <a amzon-work to=http://" http://" http://" http://" http://" http://"
> > href="http:/mi.wey.vandalized655bccemetries -dot- cleaning/<tracking
> > id>">unsubscribe here</a>
> > 
> > I have no idea if that actually works, since I'm not about to try it.
> 
> The base hostname in that URL (I bowdlerized it in this message) is listed
> in a couple different URIBLs.
> 
> SA 3.4.1 is able to spot/extract that name from the garbage and trigger
> URIBL rules.
> In debug mode for this message its 'URIDOMAINS' contains: ARY:[...]
> 
> SA 3.4.6 not so much. it doesn't seem to "see" that href/URL at all.
> Its 'URIDOMAINS' contains: value: avg.com
> 
> So why is SA 3.4.6 much less sensitive about picking up hosts in URLs?

Because newer works more sensibly if you feed it crap?

As we don't have an original pastebin to test, we can simply assume to fake
it as a text/html message:

printf 'Content-Type: text/html\n\n<a amzon-work to=http://"
http://" http://" http://" http://" http://"
href="http:/mi.wey.vandalized655bccemetries -dot- cleaning/foo">
unsubscribe here</a>' | spamassassin -D -L 2>&1 | grep uri:

You will find it parses it fine. (replace -dot-)

Re: An interesting bit of HTML from a spam

Posted by Dave Funk <db...@engineering.uiowa.edu>.

On Sun, 12 Sep 2021, Loren Wilton wrote:

> I found this little wonder in a bunch of spams I've been getting for the last 
> few days:
>
> <a amzon-work to=http://" http://" http://" http://" http://" http://" 
> href="http:/mi.wey.vandalized655bccemetries -dot- cleaning/<tracking 
> id>">unsubscribe here</a>
>
> I have no idea if that actually works, since I'm not about to try it.

The base hostname in that URL (I bowdlerized it in this message) is listed in a 
couple different URIBLs.

SA 3.4.1 is able to spot/extract that name from the garbage and trigger URIBL 
rules.
In debug mode for this message its 'URIDOMAINS' contains: 
ARY:[oxsus-vadesecure.net,uiowa.edu,uiowa.edu,avg.com,vandalized655bccemetries.cleaning,oxsus-vadesecure.net]

SA 3.4.6 not so much. it doesn't seem to "see" that href/URL at all.
Its 'URIDOMAINS' contains: value: avg.com

So why is SA 3.4.6 much less sensitive about picking up hosts in URLs?

-- 
Dave Funk                               University of Iowa
<dbfunk (at) engineering.uiowa.edu>     College of Engineering
319/335-5751   FAX: 319/384-0549        1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin         Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{