RE: [Dshield] Incredible spam obfuscation (from MIMEDefang maillist)

[Steven Manross <sm...@Insight.com>]

Isnt the answer really to catch the unclickable link...

Namely, 

/<A HREF.*><\/A>/

As suggested in the link he gave?

Granted I havent tried this as a regex and it probably has holes, but It
doesn't seem normal to have a link that doesn't give the option to click
it.

:)

Steven

-----Original Message-----
From: Chris Santerre [mailto:csanterre@MerchantsOverseas.com] 
Sent: Friday, February 20, 2004 7:26 AM
To: 'John Hardin'; SpamAssassin list
Subject: RE: [Dshield] Incredible spam obfuscation (from MIMEDefang
maillist)




> -----Original Message-----
> From: John Hardin [mailto:johnh@aproposretail.com]
> Sent: Thursday, February 19, 2004 3:58 PM
> To: SpamAssassin list
> Subject: Re: [Dshield] Incredible spam obfuscation (from MIMEDefang
> maillist)
> 
> 
> On Thu, 2004-02-19 at 10:26, Jon R. Kibler wrote:
> 
> > 	
> http://lists.roaringpenguin.com/pipermail/mimedefang/2004-Febr
> uary/020188.html
> > 	
> http://lists.roaringpenguin.com/pipermail/mimedefang/2004-Febr
> uary/020203.html
> 
> Any rules to catch this trick?
> 
> --
> John Hardin  KA7OHZ                           

I saw this as a direct attempt to foil Bigevil and similar URL marking
rules. Like Bayes poison (fodder) they are trying to mess up automated
scripts from harvesting the correct URLs to blacklist. But I do these by
hand, so I only pull out the legit URLs from these spam. 

So Short answers is I've not seen a rule for this. But I do have the
legit URLs in my Bigevil for the ones I do get. 

Chris Santerre 
System Admin and SA Custom Rules Emporium keeper 
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin