You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Chr. von Stuckrad" <st...@mi.fu-berlin.de> on 2005/04/22 16:06:26 UTC
Re: New(?) 'writing direction switch'(?) obfuscation technique
Hi!
I lately received two Barkley-Bank-Phishs, but could not really
read them with my ASCII mailreader.
The first line of the mail is in my ASCII Browser:
D#8238;rae#8236; Ba#8238;lcr#8236;ays Memb#8238;re#8236;,
All 'mozillas' show
Dera Balcrays Membre,
BUT even though MIME-encoding was officially us-ascii
of course Windows knows it better and shows it as
Dear Barclays Member
The Effect is created by switching the writing-Direction
by inserting URL-Encoded decimals(?) of the UNICODE
special codes:
Mail UNICODE meaning
"#8238"=\ux202e 'right to left override'
"#8236"=\ux202c 'pop direction'
Is there a way to combine a test for
1) MIME-Encoding NOT unicode and
2) those sequences?
into a special rule for this?
Thanks Stucki (postmaster at math/inf/mi.fu-berlin.de)
--
Christoph von Stuckrad * * |nickname |<st...@math.fu-berlin.de>\
Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459|
Fachbereich Mathematik, EDV|\ *|if online|Tel(else):+49 30 77 39 6600|
Arnimallee 2-6/14195 Berlin* * |on IRCnet|Fax(alle):+49 30 838-75454/