From maddoc@maddoc.net Fri Apr 22 02:17:08 2005
From: Doc Schneider <maddoc@maddoc.net>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] missed URI redirector
Date: Thu, 21 Apr 2005 19:16:59 -0500
Message-ID: <4268427B.9010702@maddoc.net>
In-Reply-To: <492198789.20050421164339@surbl.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5606024846825233124=="

--===============5606024846825233124==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Jeff Chan wrote:
> On Thursday, April 21, 2005, 8:24:30 AM, Matthew Wilson wrote:
> 
>>just got this in a spam
> 
>  
> 
>><A href="h
>>t
>>tp:/
>>/r.lycos.com/r/vn_swditarrx_csmqempf/http://cympgebdnrMUNGED.org&aeglnl0
>>oepml18w32zd6%2Ezin
>>ciccg
> 
> cag%2Ecom/">>
> 
>><FONT></FONT><STRONG></STRONG><STRONG></STRONG><IMG
>>SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""></A>
> 
> 
> I believe SpamCop and SpamAssassin are working on code or have
> code to catch obfuscated redirector usage like this example.
> 

I have a SARE rule that Loren wrote that handles the multiple linefeeds 
for the http: part.

rawbody  __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is
full  __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is
meta  LW_URI_CR  __LW_URI_CR1 || __LW_URI_CR2
score  LW_URI_CR  2
describe LW_URI_CR  unescaped cr in uri

full  LW_URI_CR2  /href=\"[^"]*\r[^\n]\w+\r[^\n]/is
score  LW_URI_CR2  2
describe LW_URI_CR2  unescapred crs in uri

I did bump these rules to a score of 4 each instead of 2.

-Doc

--===============5606024846825233124==--