Vista Obfuscation

[Samuel Krieg <sk...@wng.ch>]

Hi there,

I'm trying to create a rule to identify "\/ista" (with backslash + slash).

This does not seem to work:

body	WNG_OBFUVISTA	/\b\\\/ista\b/i
score	WNG_OBFUVISTA	1


Any idea?
Thanks.

-- 
Samuel Krieg

Re: Vista Obfuscation

[Paul Douglas Franklin <pd...@yugm.org>]

body    WNG_OBFUVISTA    /\Wista\b/i
would be my suggestion--I wouldn't worry too much about the exact
non-word character(s).  The baddies might next do \ /ista, and the a
precise rule for \/ista wouldn't catch it.
--Paul

Samuel Krieg wrote:
> Hi there,
>
> I'm trying to create a rule to identify "\/ista" (with backslash + 
> slash).
>
> This does not seem to work:
>
> body    WNG_OBFUVISTA    /\b\\\/ista\b/i
> score    WNG_OBFUVISTA    1
>
>
> Any idea?
> Thanks.
>

-- 
Paul Douglas Franklin
Computer Manager, Union Gospel Mission of Yakima, Washington
Husband of Danette
Father of Laurene, Miriam, Tycko, Timothy, Sarabeth, Marie, Dawnita, 
Anna Leah, Alexander, and Caleb

Re: Vista Obfuscation

[Samuel Krieg <sk...@wng.ch>]

Karsten Bräckelmann a écrit :
> 
> If you want to enforce a non-word char preceding this, the \W is fine.
> 
> However, the alternate anchor at the beginning of the string probably
> will be rather useless. From the fine docs [1], body rule definitions:
>   "All HTML tags and line breaks will be removed before matching."

Actually I think (in that case) I don't need any of these \b or \W.
The string I want to catch is pretty spam-explicit (spamplicit?).

So I remove everything before the three backslashes and everything is fine.

> I guess it pretty much depends on what you actually want to catch. You
> do have a spample to run your rule against, right? Also, do you really
> mean to match against the body (all textual parts), or do you mean to
> trigger on the Subject only (which is part of a body rule, FWIW)?

Both; subject is worth.

>   guenther
> 
> 
> [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
> 

Thanks for your help and advices.

Sam

Re: Vista Obfuscation

[Karsten Bräckelmann <gu...@rudersport.de>]

On Thu, 2008-02-28 at 15:02 +0100, Samuel Krieg wrote:
> Karsten Bräckelmann a écrit :
> > On Thu, 2008-02-28 at 14:26 +0100, Samuel Krieg wrote:
> >> I'm trying to create a rule to identify "\/ista" (with backslash + slash).
> >>
> >> This does not seem to work:
> >>
> >> body  WNG_OBFUVISTA      /\b\\\/ista\b/i
> >                            ^^^^
> > The backslash is not a word character. Thus, the \b word boundary
> > requires a word immediately preceding this (rather than a non-word). In
> > other words, this would fire only, if there is a char before this. It
> > will not, if it occurs after a space or at the beginning of the string.

> Thanks for your explanation. I've been used to add \b on every rule.
> 
> May I replace it with (\W|^) to get nearly the same effect?
> Like /(\W|^)\\\/ista\b/i

If you want to enforce a non-word char preceding this, the \W is fine.

However, the alternate anchor at the beginning of the string probably
will be rather useless. From the fine docs [1], body rule definitions:
  "All HTML tags and line breaks will be removed before matching."

I guess it pretty much depends on what you actually want to catch. You
do have a spample to run your rule against, right? Also, do you really
mean to match against the body (all textual parts), or do you mean to
trigger on the Subject only (which is part of a body rule, FWIW)?

  guenther


[1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Vista Obfuscation

[Samuel Krieg <sk...@wng.ch>]

Karsten Bräckelmann a écrit :
> On Thu, 2008-02-28 at 14:26 +0100, Samuel Krieg wrote:
>> I'm trying to create a rule to identify "\/ista" (with backslash + slash).
>>
>> This does not seem to work:
>>
>> body	WNG_OBFUVISTA	/\b\\\/ista\b/i
>                            ^^^^
> The backslash is not a word character. Thus, the \b word boundary
> requires a word immediately preceding this (rather than a non-word). In
> other words, this would fire only, if there is a char before this. It
> will not, if it occurs after a space or at the beginning of the string.
> 
>   guenther
> 
> 

Hi Guenther,

Thanks for your explanation. I've been used to add \b on every rule.

May I replace it with (\W|^) to get nearly the same effect?

Like /(\W|^)\\\/ista\b/i

-- 
Samuel Krieg

Re: Vista Obfuscation

[Karsten Bräckelmann <gu...@rudersport.de>]

On Thu, 2008-02-28 at 14:26 +0100, Samuel Krieg wrote:
> I'm trying to create a rule to identify "\/ista" (with backslash + slash).
> 
> This does not seem to work:
> 
> body	WNG_OBFUVISTA	/\b\\\/ista\b/i
                           ^^^^
The backslash is not a word character. Thus, the \b word boundary
requires a word immediately preceding this (rather than a non-word). In
other words, this would fire only, if there is a char before this. It
will not, if it occurs after a space or at the beginning of the string.

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}