You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/07/16 20:04:13 UTC

[Bug 4147] Uncaught phish trick using broken OE logic

http://bugzilla.spamassassin.org/show_bug.cgi?id=4147


Bob@Menschel.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Additional Comments From Bob@Menschel.net  2005-07-16 11:04 -------
Below are three rules developed by Loren and Bob. First is in 70_sare_obfu0.cf,
third is in 70_sare_obfu1.cf, and second will be in next release of obfu0. 

Too late, and not enough benefit, to get these into 3.1.0, but anyone who wants
them can copy them from this entry or use the SARE rules files. If the S/O and
counts improve over time, we'll submit them for 3.2.0.

(No objection if anyone else can find ways to improve on these, or even replace
them with something better.) 

rawbody   __SARE_OBFU_SPLIT_HR1A   /href=\"[^"]*\r[^\n]/is
full      __SARE_OBFU_SPLIT_HR1B   /href=\"[^"]*\r[^\n]/is
meta      SARE_OBFU_SPLIT_HR1      __SARE_OBFU_SPLIT_HR1A || __SARE_OBFU_SPLIT_HR1B
score     SARE_OBFU_SPLIT_HR1      1.666
#stype    SARE_OBFU_SPLIT_HR1      obfu 
describe  SARE_OBFU_SPLIT_HR1      unescaped cr in uri
#hist     SARE_OBFU_SPLIT_HR1      Loren Wilton
#counts   SARE_OBFU_SPLIT_HR1      35s/0h of 260791 corpus (115716s/145075h RM)
05/25/05
#max      SARE_OBFU_SPLIT_HR1      49s/0h of 292007 corpus (122219s/169788h RM)
04/27/05
#counts   SARE_OBFU_SPLIT_HR1      0s/0h of 10870 corpus (6385s/4485h CT) 05/15/05
#counts   SARE_OBFU_SPLIT_HR1      7s/0h of 4677 corpus (810s/3867h ft) 05/28/05
#counts   SARE_OBFU_SPLIT_HR1      352s/0h of 47845 corpus (43810s/4035h MY)
05/28/05

full      SARE_OBFU_SPLIT_REDIR    m'/(?:(?!https?://)h.?t.?t.?p.?:.?/.?/)'i
describe  SARE_OBFU_SPLIT_REDIR    gappy redirect
score     SARE_OBFU_SPLIT_REDIR    1.666
#stype    SARE_OBFU_SPLIT_REDIR    obfu
#hist     SARE_OBFU_SPLIT_REDIR    Bob Menschel, June 16 2005 
#counts   SARE_OBFU_SPLIT_REDIR    3s/0h of 267372 corpus (127006s/140366h RM)
06/19/05

rawbody   __SARE_OBFU_SPLIT_HR2A   /href\s{0,5}=\s{0,5}"[^"]{0,15}[\r\n]/is
full      __SARE_OBFU_SPLIT_HR2B   /href\s{0,5}=\s{0,5}"[^"]{0,15}[\r\n]/is
meta      SARE_OBFU_SPLIT_HR2      __SARE_OBFU_SPLIT_HR2A || __SARE_OBFU_SPLIT_HR2B
score     SARE_OBFU_SPLIT_HR2      1.023
describe  SARE_OBFU_SPLIT_HR2      unescaped cr in uri
#counts   SARE_OBFU_SPLIT_HR2      4893s/46h of 261031 corpus (115925s/145106h
RM) 05/29/05
#max      SARE_OBFU_SPLIT_HR2      4930s/59h of 263078 corpus (112438s/150640h
RM) 05/16/05
#counts   SARE_OBFU_SPLIT_HR2      2s/0h of 10870 corpus (6385s/4485h CT) 05/15/05
#counts   SARE_OBFU_SPLIT_HR2      6s/2h of 4677 corpus (810s/3867h ft) 05/28/05
#counts   SARE_OBFU_SPLIT_HR2      328s/15h of 47845 corpus (43810s/4035h MY)
05/28/05





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.