On Sunday, April 17, 2005, 10:37:38 PM, Justin Mason wrote:
Jeff Chan writes:
Right. And obfuscation of the redirected-to "http" seems to be enough to confuse SA 3 into not extracting the second URI. Maybe we should make a Bugzilla ticket about that?
if you find one that SpamAssassin 3.1.0 doesn't decode correctly, sure ;) I thought we had those nailed.
TBH, I don't know about 3.1, but here's one that 3.0 does not parse correctly. Perhaps someone can test it in 3.1:
<DIV align=left><FONT face=Verdana size=3><A href="http://r.lycos.com/r/kg_xnsdaz_dqcuewqk/http://wxmnuiuskn.net&xkvo3rhsp6mbz6nky9.coh uneh cnhk.com/">Cl9ick her6e, - no prescr1iption requir7ed!
Note the URI split over three lines and has a probably non-RFC compliant & in the host name to block parsing. Here's how 3.0 handles it:
debug: uri found: http://wxmnuiuskn.net&xkvo3rhsp6mbz6nky9.cohunehcnhk.com-MUNGED/ debug: uri found: http://r.lycos.com/r/kg_xnsdaz_dqcuewqk/http://wxmnuiuskn.net&xkvo3rhsp6... debug: URIDNSBL: domains to query: lycos.com wxmnuiuskn.net
Where in fact the unqualified destination domain appears to be cohunehcnhk.com-MUNGED
Jeff C. -- "If it appears in hams, then don't list it."