Mailing List Archive

Isnt the answer really to catch the unclickable link...

Namely,

/<A HREF.*><\/A>/

As suggested in the link he gave?

Granted I havent tried this as a regex and it probably has holes, but It
doesn't seem normal to have a link that doesn't give the option to click
it.

:)

Steven

-----Original Message-----
From: Chris Santerre [mailto:csanterre@MerchantsOverseas.com]
Sent: Friday, February 20, 2004 7:26 AM
To: 'John Hardin'; SpamAssassin list
Subject: RE: [Dshield] Incredible spam obfuscation (from MIMEDefang
maillist)




> -----Original Message-----
> From: John Hardin [mailto:johnh@aproposretail.com]
> Sent: Thursday, February 19, 2004 3:58 PM
> To: SpamAssassin list
> Subject: Re: [Dshield] Incredible spam obfuscation (from MIMEDefang
> maillist)
>
>
> On Thu, 2004-02-19 at 10:26, Jon R. Kibler wrote:
>
> >
> http://lists.roaringpenguin.com/pipermail/mimedefang/2004-Febr
> uary/020188.html
> >
> http://lists.roaringpenguin.com/pipermail/mimedefang/2004-Febr
> uary/020203.html
>
> Any rules to catch this trick?
>
> --
> John Hardin KA7OHZ

I saw this as a direct attempt to foil Bigevil and similar URL marking
rules. Like Bayes poison (fodder) they are trying to mess up automated
scripts from harvesting the correct URLs to blacklist. But I do these by
hand, so I only pull out the legit URLs from these spam.

So Short answers is I've not seen a rule for this. But I do have the
legit URLs in my Bigevil for the ones I do get.

Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin

On Fri, 2004-02-20 at 06:26, Chris Santerre wrote:
> > >
> > http://lists.roaringpenguin.com/pipermail/mimedefang/2004-Febr
> > uary/020188.html
> > >
> > http://lists.roaringpenguin.com/pipermail/mimedefang/2004-Febr
> > uary/020203.html
> >
> > Any rules to catch this trick?

> I saw this as a direct attempt to foil Bigevil and similar URL marking
> rules. Like Bayes poison (fodder) they are trying to mess up automated
> scripts from harvesting the correct URLs to blacklist. But I do these by
> hand, so I only pull out the legit URLs from these spam.
>
> So Short answers is I've not seen a rule for this. But I do have the legit
> URLs in my Bigevil for the ones I do get.

Here's what I'm trying out...

describe OBFUSCATED_BY_LINK Has words obfuscated by hidden HTML links
rawbody OBFUSCATED_BY_LINK /\w<A\s+HREF\s*=[^>]+><\/A>\w/i
score OBFUSCATED_BY_LINK 0.5

describe OBFUSCATED_BY_LINK_2 Has words obfuscated by hidden HTML links
rawbody OBFUSCATED_BY_LINK_2 /^\s*HREF\s*=[^>]+><\/A>\w/i
score OBFUSCATED_BY_LINK_2 0.2

--
John Hardin KA7OHZ
Internal Systems Administrator/Guru voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute an
emergency on my part.
- David W. Barts in a.s.r
-----------------------------------------------------------------------
10 days until ICQ Corp goes away - have you installed Jabber yet?

Steven Manross said:
> Isnt the answer really to catch the unclickable link...
>
> Namely,
>
> /<A HREF.*><\/A>/

FYI it would match thinggies like this:
<A HREF="bananas.html">Click here to see my new house pictures <img
src="houseicon.gif"></A>


--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|RA$ES):
http://www.sandgnat.com/cmos/

sckot said:
>> Steven Manross said:
>> > Isnt the answer really to catch the unclickable link...
>> >
>> > Namely,
>> >
>> > /<A HREF.*><\/A>/
>> FYI it would match thinggies like this:
>> <A HREF="bananas.html">Click here to see my new house pictures <img
>> src="houseicon.gif"></A>


> However, /<A HREF[^>]*><\/A>/i (or something more specific regarding
> what other characters were allowed) wouldn't.
>
> sckot Vokes

(replying back to list)
Yep, I think that would do the trick.


--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|RA$ES):
http://www.sandgnat.com/cmos/

At 10:29 AM 2/20/2004, Steven Manross wrote:
>Is there a way to do a negated regex in an SA rule?

I don't know about negated regexps, but you ought to be able to tell it not
to match certain characters:

/<A HREF[^<]*><\/A>/

ought to be equivalent to the previous expression, except for the string
after HREF. "[^<]" will match anything except a <, meaning that it won't
trigger on actual tags being nested inside a link.

I was originally going to suggest "[^<>]" but realized it would miss
something like this:
<A HREF="unclickable">></A>

It can still be defeated trivially by this, though:
<A HREF="unclickable"><b></b></A>

What's really needed is something that will check for *any* set of empty
tags (valid or otherwise), like this:

/<A HREF[^<]*>(\s*<[^<]+>)*\s*<\/A>/

This should catch any supposed "link" which doesn't contain anything
clickable, even if tags are nested wrong. Only one problem: We're back to
the <a><img/></a> case! (Although in this case, it only applies if the
image is the only content.)

Any suggestions on refining this further?


Kelson Vibber
SpeedGate Communications <www.speed.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


John Hardin writes:
>On Fri, 2004-02-20 at 06:26, Chris Santerre wrote:
>> > >
>> > http://lists.roaringpenguin.com/pipermail/mimedefang/2004-Febr
>> > uary/020188.html
>> > >
>> > http://lists.roaringpenguin.com/pipermail/mimedefang/2004-Febr
>> > uary/020203.html
>> >
>> > Any rules to catch this trick?
>
>> I saw this as a direct attempt to foil Bigevil and similar URL marking
>> rules. Like Bayes poison (fodder) they are trying to mess up automated
>> scripts from harvesting the correct URLs to blacklist. But I do these by
>> hand, so I only pull out the legit URLs from these spam.
>>
>> So Short answers is I've not seen a rule for this. But I do have the legit
>> URLs in my Bigevil for the ones I do get.

BTW, could someone try something --

see if a mail with e.g. "via<a href=someURL>gra" matches the body
pattern correctly. I'm guessing it will, but it's worth a test.
If it doesn't, open a bug at bugzilla...

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFANmUCQTcbUG5Y7woRAh2vAJ9eeP9HXXlJu+RjJ0TNKXNX4xYTRQCeIzDH
nVcj/uT+HvQuDpGVBLmY6RE=
=59E4
-----END PGP SIGNATURE-----