From jeffc@surbl.org Mon Apr 18 08:01:38 2005
From: Jeff Chan <jeffc@surbl.org>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] Redirectors and SURBLs
Date: Sun, 17 Apr 2005 23:02:19 -0700
Message-ID: <39811045.20050417230219@surbl.org>
In-Reply-To: <20050418053738.3F94F5900C0@radish.jmason.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4266241480322435422=="

--===============4266241480322435422==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Sunday, April 17, 2005, 10:37:38 PM, Justin Mason wrote:
> Jeff Chan writes:

>> Right.  And obfuscation of the redirected-to "http" seems to be
>> enough to confuse SA 3 into not extracting the second URI.  Maybe
>> we should make a Bugzilla ticket about that?

> if you find one that SpamAssassin 3.1.0 doesn't decode correctly,
> sure ;)   I thought we had those nailed.

TBH, I don't know about 3.1, but here's one that 3.0 does not
parse correctly.  Perhaps someone can test it in 3.1:


<DIV align=3Dleft><FONT face=3DVerdana size=3D3><A href=3D"http://r.lycos.com=
/r/kg_xnsdaz_dqcuewqk/http://wxmnuiuskn.net&xkvo3rhsp6mbz6nky9.coh
uneh
cnhk.com/">Cl9ick her6e, - no prescr1iption requir7ed!


Note the URI split over three lines and has a probably non-RFC
compliant & in the host name to block parsing.  Here's how 3.0
handles it:

> debug: uri found: http://wxmnuiuskn.net&xkvo3rhsp6mbz6nky9.cohunehcnhk.com-=
MUNGED/
> debug: uri found: http://r.lycos.com/r/kg_xnsdaz_dqcuewqk/http://wxmnuiuskn=
.net&xkvo3rhsp6mbz6nky9.cohunehcnhk.com-MUNGED/
> debug: URIDNSBL: domains to query: lycos.com wxmnuiuskn.net

Where in fact the unqualified destination domain appears to be
cohunehcnhk.com-MUNGED

Jeff C.
--
"If it appears in hams, then don't list it."


--===============4266241480322435422==--