Oops :) my bad... I actually forgot I had that in there... that was the start to another attempt, and midway through I got a second thought, tried it, and forgot I did that. Haste to get my sub and powerball ticket!
I shall get back on it ;) thx Jen > -----Original Message----- > From: Brian Sneddon [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 31, 2003 12:14 PM > To: 'Jennifer Wheeler'; 'Chris Santerre' > Cc: [EMAIL PROTECTED] > Subject: RE: [SAtalk] Rule to block Paris Hilton spam > > Wont that \n at the end of the regex match virtually ALL mail? > > Brian > > -----Original Message----- > From: Jennifer Wheeler [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 31, 2003 12:06 PM > To: 'Chris Santerre'; [EMAIL PROTECTED] > Subject: RE: [SAtalk] Rule to block Paris Hilton spam > > Eureka! :) believe this works, yes?? At least I think this is what > you are going for? Sorry for the wrap. > > rawbody hilton_b64 > /(aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(khl|jxr)|aGV5DQoNCk > NvbWUgY2hlY2sgb3V0|\n)/ > describe hilton_b64 Base 64 encoded paris hilton spam > score hilton_b64 .03 > > good goin peeps! :) > Jennifer > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:spamassassin- > > [EMAIL PROTECTED] On Behalf Of Chris Santerre > > Sent: Wednesday, December 31, 2003 11:34 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [SAtalk] Rule to block Paris Hilton spam > > > > OK, per a suggestion I tried this rule as full. Nope still didn't see > the > > raw code. What am I missing? Is it possible to look for raw base64 > code in > > SA? > > > > > -----Original Message----- > > > From: Chris Santerre [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, December 30, 2003 9:35 AM > > > To: 'Stephane Lentz' > > > Cc: [EMAIL PROTECTED] > > > Subject: RE: [SAtalk] Rule to block Paris Hilton spam > > > > > > > > > Ok, this didn't work overnight. However I did receive spam > > > with the exact > > > first base64 pattern in it. So I think it is just a problem > > > with rawbody???? > > > So what rule type do we use to catch this raw pattern?? > > > > > > rawbody hilton_b64 raw:/base64code/ > > > > > > ????would that work????? > > > > > > --Chris > > > > > > > > > > -----Original Message----- > > > > From: Chris Santerre [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, December 29, 2003 5:27 PM > > > > To: 'Stephane Lentz'; Chris Thielen > > > > Cc: [EMAIL PROTECTED] > > > > Subject: RE: [SAtalk] Rule to block Paris Hilton spam > > > > > > > > > > > > I offer this in UNTESTED form. TEsting overnight ;) > > > > > > > > Your email viewer will wrap these lines. SHould be 3 lines: > > > > > > > > rawbody hilton_b64 > > > > /(?:aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(?:khl|j > > > > xr)|aGV5DQoNCk > > > > NvbWUgY2hlY2sgb3V0)/ > > > > describe hilton_b64 Base 64 encoded paris hilton spam > > > > score hilton_b64 .01 > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Stephane Lentz [mailto:[EMAIL PROTECTED] > > > > > Sent: Monday, December 29, 2003 5:14 PM > > > > > To: Chris Thielen > > > > > Cc: [EMAIL PROTECTED] > > > > > Subject: Re: [SAtalk] Rule to block Paris Hilton spam > > > > > > > > > > > > > > > Hi again, > > > > > > > > > > On Mon, Dec 29, 2003 at 01:41:17PM -0600, Chris Thielen wrote: > > > > > > Stephane Lentz said: > > > > > > > => Thanks for the info. Two samples of such spam are now > > > > > available at > > > > > > > http://milter.free.fr/spam/ (hilton-sample1.txt & > > > > > hilton-sample2.txt > > > > > > > files) > > > > > > > > > > > > Stephane, > > > > > > > > > > > > I glanced at the spamassassin source just now. I may be > > > > > wrong, but it > > > > > > appears that the URI tests only matches on attributes of > > > > > "background", > > > > > > "href", "src", "action". The URL in the spam was html text > > > > > and not a link > > > > > > of sorts. You may consider changing your rule to a BODY > > > > > rule instead of a > > > > > > URI rule. > > > > > > > > > > => The URI rule works in some cases (no splitting of base64 > > > > > representation > > > > > of the URL). > > > > > I think I understand the problem better now after some > > > > further tests . > > > > > Test messages : > > > > > - Content-Transfer-Encoding: base64 > > > > > - just include http://special-selections.com URL (base64 > > > > > encoded) as body > > > > > > > > > > The problem is really related to base64 decoding & URI matching. > > > > > > > > > > The rule uri LOCAL_HILTON /special-selections\.com/ : > > > > > > > > > > - gets triggered if the base64 string (in the body) is in > > > one line : > > > > > aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5jb20K > > > > > - does not match if the base64 string is splitted accross > several > > > > > lines > > > > > aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5 > > > > > jb20K > > > > > > > > > > or > > > > > > > > > > aHR0cDovL3NwZWNpYWwtc2VsZWN > > > > > 0aW9ucy5jb20K > > > > > > > > > > Is it a new spammer trick (base64 body with URL base64 > > > > representation > > > > > splitted across several lines) ? > > > > > I guess the work-around is a rawbody rule (right ?) > > > > > I got no success with a body rule. > > > > > > > > > > > > > > > > > > > => Thanks for the link. i will check it out. I was > > > > > willing to avoid the > > > > > > > matching "Paris Hilton" if possible as I live in Paris > > > > > and some of my > > > > > > > colleagues may book some rooms in Hilton hotels (one > > > > > never knows) .... > > > > > > > > > > > > I'm not quite sure how to interpret your statement about > > > > > being "willing to > > > > > > avoid the matching ..." so I will expclicitly state what > > > > > the link does. I > > > > > > understand you do not wish to match the unobfuscated paris > > > > > hilton. The > > > > > > rules generated by the link above will match *ONLY* > > > > > obfuscated "paris > > > > > > hilton". It will not match "Paris Hilton" or any case > > > > > permutations such > > > > > > as "PARIS hilton". It *will* match obfuscated versions > > > > > such as "PAR1S > > > > > > H1LTON" (and a couple other permutations). > > > > > > > > > > > > Another possible way to attack this is to look for > > > > > obfuscated paris or > > > > > > obfuscated hilton only (removing the quotes will generate 4 > > > > > rules instead > > > > > > of 2). See: > > > http://sandgnat.com/cmos/cmos.jsp?words=paris+hilton . > > > > > > > > > > -- > > > > => Thanks for the clarifications. > > > > > > > > regards, > > > > > > > > SL/ > > > > > > > > > > > > ------------------------------------------------------- > > > > This SF.net email is sponsored by: IBM Linux Tutorials. > > > > Become an expert in LINUX or just sharpen your skills. Sign > > > > up for IBM's > > > > Free Linux Tutorials. Learn everything from the bash shell > > > > to sys admin. > > > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > > > _______________________________________________ > > > > Spamassassin-talk mailing list > > > > [EMAIL PROTECTED] > > > > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.net email is sponsored by: IBM Linux Tutorials. > > > Become an expert in LINUX or just sharpen your skills. Sign > > > up for IBM's > > > Free Linux Tutorials. Learn everything from the bash shell > > > to sys admin. > > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > > _______________________________________________ > > > Spamassassin-talk mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > > > > > ------------------------------------------------------- > > > This SF.net email is sponsored by: IBM Linux Tutorials. > > > Become an expert in LINUX or just sharpen your skills. Sign > > > up for IBM's > > > Free Linux Tutorials. Learn everything from the bash shell > > > to sys admin. > > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > > _______________________________________________ > > > Spamassassin-talk mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: IBM Linux Tutorials. > > Become an expert in LINUX or just sharpen your skills. Sign up for > IBM's > > Free Linux Tutorials. Learn everything from the bash shell to sys > admin. > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > _______________________________________________ > > Spamassassin-talk mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
