Re: IE Parse bug olso in SpamAssassin ?
On Fri, May 9, 2008 15:27, Justin Mason wrote: > so does SpamAssassin parse the URI correctly, or not? as i can see it does, but just currently not pickup the uri in redir.html can webredirect plugin do this ? Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: IE Parse bug olso in SpamAssassin ?
On Fri, May 9, 2008 15:42, Joseph Brennan wrote: > You know about it being an IE parse bug, and that seems to be news to > the rest of us. How'd you hear about it? enabled spam_admin in amavisd-new and readed my logs :-) one SARE hit on IE bug Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: IE Parse bug olso in SpamAssassin ?
Benny Pedersen <[EMAIL PROTECTED]> wrote: i just started this thread to be sure IE parse bug is not in sa aswell since i could see domains not detecked in spam, but i got it now You know about it being an IE parse bug, and that seems to be news to the rest of us. How'd you hear about it? Joseph Brennan Columbia University Information Technology
Re: IE Parse bug olso in SpamAssassin ?
Kevin W. Gagel writes: > - Original Message - > >Do you have a reference for discussion of this "IE Parsing bug" that led > >you to mention this oddball URI annotation format in the first place? > >There might be references in that to the definition of the format. > > John, > > I'm not sure if this is the bug Benny refers to but here is a link for info > on what I think he is referring to: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1185 so does SpamAssassin parse the URI correctly, or not? --j.
Re: IE Parse bug olso in SpamAssassin ?
- Original Message - >Do you have a reference for discussion of this "IE Parsing bug" that led >you to mention this oddball URI annotation format in the first place? >There might be references in that to the definition of the format. John, I'm not sure if this is the bug Benny refers to but here is a link for info on what I think he is referring to: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1185 -- Kevin W. Gagel Postmaster for College of New Caledonia (250) 562-2131 loc. 5448 [EMAIL PROTECTED] http://www.cnc.bc.ca Anti-Spam info at: http://gateway.cnc.bc.ca --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://gateway.cnc.bc.ca ---
Re: IE Parse bug olso in SpamAssassin ?
On Thu, 8 May 2008, Benny Pedersen wrote: i just started this thread to be sure IE parse bug is not in sa aswell since i could see domains not detecked in spam, but i got it now Do you have a reference for discussion of this "IE Parsing bug" that led you to mention this oddball URI annotation format in the first place? There might be references in that to the definition of the format. Thanks. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #9: Accuracy is relative: most combat shooting standards will be more dependent on "pucker factor" than the inherent accuracy of the gun. --- Today: the 63rd anniversary of VE day
Re: IE Parse bug olso in SpamAssassin ?
On Thu, May 8, 2008 18:07, John Hardin wrote:
> Bayes isn't going to parse a URI as a URI anyway, is it?
i belived it did use that info olso
> It just tokenizes the message.
hopefully with url that confirm to rfc olso, but i see hte point where url is
obfu not to bother now when i think more about it
> Bayes will pick up the domain name string if it's delimited
> by {} as readily as it will if it's delimited by //.
yes got it now, i was just a bit blind on the hidded url in redir.html
> To clarify: why bother trying to deobfuscate the URI and figure out what
> domain it's really pointing at, so that domain can be checked against
> URIBL lists,
the hidded url could olso be a whitelisted domain
> if the form of the obfuscation is obvious and not seen in
> legitimate emails?
obfu is genricly a spam sign
> Why not just give that obfuscation four or five points
> and be done with it?
yep i will
> If that formatting *was* seen in legitimate emails, then I would say that
> it's important the URI parsers be aware of it.
yes, my fault not thinking that long here :/
> Can you provide any pointers to documentation of that formatting? I didn't
> find any in a quick gargle.
if i know what to search for i could :/
i just started this thread to be sure IE parse bug is not in sa aswell since i
could see domains not detecked in spam, but i got it now
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: IE Parse bug olso in SpamAssassin ?
On Thu, 8 May 2008, Benny Pedersen wrote:
On Thu, May 8, 2008 17:29, John Hardin wrote:
Why worry about where the URI is trying to point if it's so obviously
obfuscated?
to get more data to bayes
Bayes isn't going to parse a URI as a URI anyway, is it? It just tokenizes
the message. Bayes will pick up the domain name string if it's delimited
by {} as readily as it will if it's delimited by //.
To clarify: why bother trying to deobfuscate the URI and figure out what
domain it's really pointing at, so that domain can be checked against
URIBL lists, if the form of the obfuscation is obvious and not seen in
legitimate emails? Why not just give that obfuscation four or five points
and be done with it?
If that formatting *was* seen in legitimate emails, then I would say that
it's important the URI parsers be aware of it.
Can you provide any pointers to documentation of that formatting? I didn't
find any in a quick gargle.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
The real opiate of the masses isn't religion; it's the belief that
somewhere there is a benefit that can be delivered without a
corresponding cost. -- Tom of "Radio Free NJ"
---
Today: the 63rd anniversary of VE day
Re: IE Parse bug olso in SpamAssassin ?
On Thu, May 8, 2008 17:29, John Hardin wrote: > Why worry about where the URI is trying to point if it's so obviously > obfuscated? to get more data to bayes Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: IE Parse bug olso in SpamAssassin ?
On Thu, 8 May 2008, Benny Pedersen wrote:
On Thu, May 8, 2008 05:00, Joseph Brennan wrote:
Should we just call "http://{"; bad, and not bother checking the uri?
i belive there is parts in sa that parse the same way as ie and that
could be used by spammers to hide there domains in multilvel obfu
Why worry about where the URI is trying to point if it's so obviously
obfuscated?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
News flash: Lowest Common Denominator down 50 points
---
Today: the 63rd anniversary of VE day
Re: IE Parse bug olso in SpamAssassin ?
On Thu, May 8, 2008 05:00, Joseph Brennan wrote:
>> http://{MACCCLINK=3Dtestmaclink,3,http://=
>> 67.228.184.50/links1.txt,www.easyaddedvivacecreation.com}/?asdfdwrt2qxfpm=
>> 7DuzjjB82iEozsAEajsqbE">Have a look at our site
> Do you have a reference for more on this? Is this just obfuscation or
> does it do something bad besides?
unsure what here, but when i have sent the mail here it was detected when i
get it back, but not in the initial email i get it from, so i might be
> Should we just call "http://{"; bad, and not bother checking the uri?
i belive there is parts in sa that parse the same way as ie and that could be
used by spammers to hide there domains in multilvel obfu
one excample is redir.html with nearly allways redirect to medical selling host
how can one make the
redirector_pattern in local.cf to make it test redirect in redir.html ?
if sare team and sa code team se there corpus i am shure thay can se something
from it, i have tryed to make a redirector_pattern but no succes :/
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: IE Parse bug olso in SpamAssassin ?
http://{MACCCLINK=3Dtestmaclink,3,http://=
67.228.184.50/links1.txt,www.easyaddedvivacecreation.com}/?asdfdwrt2qxfpm=
7DuzjjB82iEozsAEajsqbE">Have a look at our site
Do you have a reference for more on this? Is this just obfuscation or
does it do something bad besides?
Should we just call "http://{"; bad, and not bother checking the uri?
Joseph Brennan
Columbia University Information Technology
