From matthew@boomer.com Thu Apr 21 17:24:54 2005 From: Matthew Wilson To: discuss@lists.surbl.org Subject: [SURBL-Discuss] missed URI redirector Date: Thu, 21 Apr 2005 10:24:30 -0500 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7532100208274850180==" --===============7532100208274850180== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit just got this in a spam

--===============7532100208274850180==-- From bret.miller@wcg.org Thu Apr 21 17:42:38 2005 From: Bret Miller To: discuss@lists.surbl.org Subject: [SURBL-Discuss] RE: missed URI redirector Date: Thu, 21 Apr 2005 08:42:39 -0700 Message-ID: <2fca43fc9d365a479a389643a1dbd138@mail.wcg.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2484431036173707183==" --===============2484431036173707183== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > just got this in a spam > > > SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""> Actually, I've been getting tons of spam with this lycos redirector over the last week. Sure wish they'd close it down or we'd find a way to parse redirector URIs for the real URI. Bret --===============2484431036173707183==-- From jeffc@surbl.org Fri Apr 22 01:42:43 2005 From: Jeff Chan To: discuss@lists.surbl.org Subject: Re: [SURBL-Discuss] missed URI redirector Date: Thu, 21 Apr 2005 16:43:39 -0700 Message-ID: <492198789.20050421164339@surbl.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3887098879140305104==" --===============3887098879140305104== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Thursday, April 21, 2005, 8:24:30 AM, Matthew Wilson wrote: > just got this in a spam > > > SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""> I believe SpamCop and SpamAssassin are working on code or have code to catch obfuscated redirector usage like this example. Jeff C. -- "If it appears in hams, then don't list it." --===============3887098879140305104==-- From maddoc@maddoc.net Fri Apr 22 02:17:08 2005 From: Doc Schneider To: discuss@lists.surbl.org Subject: Re: [SURBL-Discuss] missed URI redirector Date: Thu, 21 Apr 2005 19:16:59 -0500 Message-ID: <4268427B.9010702@maddoc.net> In-Reply-To: <492198789.20050421164339@surbl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4697392497247661673==" --===============4697392497247661673== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Jeff Chan wrote: > On Thursday, April 21, 2005, 8:24:30 AM, Matthew Wilson wrote: > >>just got this in a spam > > > >>> > >>>SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""> > > > I believe SpamCop and SpamAssassin are working on code or have > code to catch obfuscated redirector usage like this example. > I have a SARE rule that Loren wrote that handles the multiple linefeeds for the http: part. rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is full __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri full LW_URI_CR2 /href=\"[^"]*\r[^\n]\w+\r[^\n]/is score LW_URI_CR2 2 describe LW_URI_CR2 unescapred crs in uri I did bump these rules to a score of 4 each instead of 2. -Doc --===============4697392497247661673==--