On Wed, 11 Aug 2004, Steven Champeon wrote:
> on Wed, Aug 11, 2004 at 09:49:39AM -0400, Chris Santerre wrote:
> > Look at these things they have in common. Need to look at rawbody code.
> >
> > alt=3d
> > =2e(org|gif|htm) #split into 3
> > name=3dgenerator
> > ==.HTM
> > bgColor=3d
> > face=3d
> > src=3d
> > border=3d
> > title=3d
> > face=3d
> > <STYLE></STYLE>
> >
> > Needs to be one big meta rule
>
> ...that will also catch pretty much every last MSHTML email ever sent.
> That's just base64-encoded HTML, Chris. The empty STYLE element may
> be unique, but I doubt it.
Beg to differ with you Steve, that is NOT base64-encoded HTML, that is
BASTARD-64-encoded HTML. If you read the MIME RFCs, they state very
clearly (with 'MUST' wording) that the Hex Digits MUST BE IN CAPS.
EG: "bgColor=3D" is valid, "bgColor=3d" is NOT.
I've written several SA rules that look for that kind of violation of
the standards, and they take out that particular spam varient
quite consistently, even before SURBL hits the URIs.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
