[SURBL-Discuss] missed URI redirector

Doc Schneider maddoc at maddoc.net
Fri Apr 22 02:16:59 CEST 2005


Jeff Chan wrote:
> On Thursday, April 21, 2005, 8:24:30 AM, Matthew Wilson wrote:
> 
>>just got this in a spam
> 
>  
> 
>><A href="h
>>t
>>tp:/
>>/r.lycos.com/r/vn_swditarrx_csmqempf/http://cympgebdnrMUNGED.org&aeglnl0
>>oepml18w32zd6%2Ezin
>>ciccg
> 
> cag%2Ecom/">>
> 
>><FONT></FONT><STRONG></STRONG><STRONG></STRONG><IMG
>>SRC="cid:qlysaynv_milhjoua_qtobefxh" border="0" ALT=""></A>
> 
> 
> I believe SpamCop and SpamAssassin are working on code or have
> code to catch obfuscated redirector usage like this example.
> 

I have a SARE rule that Loren wrote that handles the multiple linefeeds 
for the http: part.

rawbody  __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is
full  __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is
meta  LW_URI_CR  __LW_URI_CR1 || __LW_URI_CR2
score  LW_URI_CR  2
describe LW_URI_CR  unescaped cr in uri

full  LW_URI_CR2  /href=\"[^"]*\r[^\n]\w+\r[^\n]/is
score  LW_URI_CR2  2
describe LW_URI_CR2  unescapred crs in uri

I did bump these rules to a score of 4 each instead of 2.

-Doc


More information about the Discuss mailing list