You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Chr. von Stuckrad" <st...@mi.fu-berlin.de> on 2005/04/22 16:06:26 UTC

Re: New(?) 'writing direction switch'(?) obfuscation technique

Hi!

I lately received two Barkley-Bank-Phishs, but could not really
read them with my ASCII mailreader.

The first line of the mail is in my ASCII Browser:

 D#8238;rae#8236; Ba#8238;lcr#8236;ays Memb#8238;re#8236;,

All 'mozillas' show

 Dera Balcrays Membre,

BUT even though MIME-encoding was officially us-ascii
of course Windows knows it better and shows it as

 Dear Barclays Member

The Effect is created by switching the writing-Direction
by inserting URL-Encoded decimals(?) of the UNICODE
special codes: 

  Mail    UNICODE   meaning

  "#8238"=\ux202e   'right to left override'
  "#8236"=\ux202c   'pop direction'

Is there a way to combine a test for
1) MIME-Encoding NOT unicode   and
2) those sequences?
into a special rule for this?

Thanks      Stucki   (postmaster at math/inf/mi.fu-berlin.de)

-- 
Christoph von Stuckrad     * * |nickname |<st...@math.fu-berlin.de>\
Freie Universitaet Berlin  |/_*|'stucki' |Tel(days):+49 30 838-75 459|
Fachbereich Mathematik, EDV|\ *|if online|Tel(else):+49 30 77 39 6600|
Arnimallee 2-6/14195 Berlin* * |on IRCnet|Fax(alle):+49 30 838-75454/