From joewein@pobox.com Wed Feb 23 12:51:13 2005
From: Joe Wein <joewein@pobox.com>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] Spammer Anti-SURBL tactic
Date: Wed, 23 Feb 2005 20:51:08 +0900
Message-ID: <005101c5199d$f7927e60$c801a8c0@sumiyoshidai.org>
In-Reply-To: <Pine.HPX.4.58.0502220402231.29837@d-is00.icaen.uiowa.edu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3305236545795047925=="

--===============3305236545795047925==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

"David B Funk" <dbfunk(a)engineering.uiowa.edu> wrote:
> I'm seeing a new spam varient that is clearly designed to get
> past SURBL. It is an HTML message that contains many (50~100)
> 'invisible' links; links that have no target text, just:
> <A href="http://garbage.sitename.tld"></A>

In my spamfilter I check for this pattern and penalise any mail for
including <a href=...></a> with no anchor text (you have to be careful with
the parsing though, so as not to penalise <a name="URI"></a> which is
legit).

Also quite common is to have a single non-alphabetic character as the anchor
text, e.g

<a href="URI">'</a>
<a href="URI">.</a>

etc.

> To add insult to injury, they're tossing in random "\r"
> (ASCII-CR) characters into the "payload" hostname
>  to try to break spamassasin's URI parsing.

I strip out any CR/LF characters between the opening and closing double
quote of a <a href=...> URL.

The next update of jwSpamSpy for Windows will query SURBL, which means it's
coming full circle, since it is the tool that actually extracts and provides
much of the JP domain data feed of SURBL :-)

Joe Wein
-- 
joewein.de LLC
Yokohama, Japan
POP3 Spamfilter for Windows 2000/XP
http://www.joewein.de/sw/jwSpamSpy




--===============3305236545795047925==--