You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/07/16 20:04:13 UTC
[Bug 4147] Uncaught phish trick using broken OE logic
http://bugzilla.spamassassin.org/show_bug.cgi?id=4147
Bob@Menschel.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From Bob@Menschel.net 2005-07-16 11:04 -------
Below are three rules developed by Loren and Bob. First is in 70_sare_obfu0.cf,
third is in 70_sare_obfu1.cf, and second will be in next release of obfu0.
Too late, and not enough benefit, to get these into 3.1.0, but anyone who wants
them can copy them from this entry or use the SARE rules files. If the S/O and
counts improve over time, we'll submit them for 3.2.0.
(No objection if anyone else can find ways to improve on these, or even replace
them with something better.)
rawbody __SARE_OBFU_SPLIT_HR1A /href=\"[^"]*\r[^\n]/is
full __SARE_OBFU_SPLIT_HR1B /href=\"[^"]*\r[^\n]/is
meta SARE_OBFU_SPLIT_HR1 __SARE_OBFU_SPLIT_HR1A || __SARE_OBFU_SPLIT_HR1B
score SARE_OBFU_SPLIT_HR1 1.666
#stype SARE_OBFU_SPLIT_HR1 obfu
describe SARE_OBFU_SPLIT_HR1 unescaped cr in uri
#hist SARE_OBFU_SPLIT_HR1 Loren Wilton
#counts SARE_OBFU_SPLIT_HR1 35s/0h of 260791 corpus (115716s/145075h RM)
05/25/05
#max SARE_OBFU_SPLIT_HR1 49s/0h of 292007 corpus (122219s/169788h RM)
04/27/05
#counts SARE_OBFU_SPLIT_HR1 0s/0h of 10870 corpus (6385s/4485h CT) 05/15/05
#counts SARE_OBFU_SPLIT_HR1 7s/0h of 4677 corpus (810s/3867h ft) 05/28/05
#counts SARE_OBFU_SPLIT_HR1 352s/0h of 47845 corpus (43810s/4035h MY)
05/28/05
full SARE_OBFU_SPLIT_REDIR m'/(?:(?!https?://)h.?t.?t.?p.?:.?/.?/)'i
describe SARE_OBFU_SPLIT_REDIR gappy redirect
score SARE_OBFU_SPLIT_REDIR 1.666
#stype SARE_OBFU_SPLIT_REDIR obfu
#hist SARE_OBFU_SPLIT_REDIR Bob Menschel, June 16 2005
#counts SARE_OBFU_SPLIT_REDIR 3s/0h of 267372 corpus (127006s/140366h RM)
06/19/05
rawbody __SARE_OBFU_SPLIT_HR2A /href\s{0,5}=\s{0,5}"[^"]{0,15}[\r\n]/is
full __SARE_OBFU_SPLIT_HR2B /href\s{0,5}=\s{0,5}"[^"]{0,15}[\r\n]/is
meta SARE_OBFU_SPLIT_HR2 __SARE_OBFU_SPLIT_HR2A || __SARE_OBFU_SPLIT_HR2B
score SARE_OBFU_SPLIT_HR2 1.023
describe SARE_OBFU_SPLIT_HR2 unescaped cr in uri
#counts SARE_OBFU_SPLIT_HR2 4893s/46h of 261031 corpus (115925s/145106h
RM) 05/29/05
#max SARE_OBFU_SPLIT_HR2 4930s/59h of 263078 corpus (112438s/150640h
RM) 05/16/05
#counts SARE_OBFU_SPLIT_HR2 2s/0h of 10870 corpus (6385s/4485h CT) 05/15/05
#counts SARE_OBFU_SPLIT_HR2 6s/2h of 4677 corpus (810s/3867h ft) 05/28/05
#counts SARE_OBFU_SPLIT_HR2 328s/15h of 47845 corpus (43810s/4035h MY)
05/28/05
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.