[SURBL-Discuss] missed URI redirector

Doc Schneider maddoc at maddoc.net
Fri Apr 22 02:16:59 CEST 2005

Jeff Chan wrote:
> On Thursday, April 21, 2005, 8:24:30 AM, Matthew Wilson wrote:
>>just got this in a spam
>><A href="h
> cag%2Ecom/">>
>>SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""></A>
> I believe SpamCop and SpamAssassin are working on code or have
> code to catch obfuscated redirector usage like this example.

I have a SARE rule that Loren wrote that handles the multiple linefeeds 
for the http: part.

rawbody  __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is
full  __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is
meta  LW_URI_CR  __LW_URI_CR1 || __LW_URI_CR2
score  LW_URI_CR  2
describe LW_URI_CR  unescaped cr in uri

full  LW_URI_CR2  /href=\"[^"]*\r[^\n]\w+\r[^\n]/is
score  LW_URI_CR2  2
describe LW_URI_CR2  unescapred crs in uri

I did bump these rules to a score of 4 each instead of 2.


More information about the Discuss mailing list