RE: Something new in my inbox (SA rule works now)

[Rob Hughes <rob () robhughes com>]

On Wed, 2004-09-29 at 15:31 -0400, Chris Santerre wrote:
> > I've noticed an increasing amount of spam that's using what 
> > looks like a
> > broken attempt to mime-encode a url. An example would be
> > http://www=2euwantedx=2einfo/rm/news_out=2ehtm. Does anyone recognize
> > this encoding type? I need to create some spamassassin rules to pick it
> > up. The only place I've seen the "=2e" stuff is in broken outlook
> > emails, so any help or pointers to sites with info on this 
> > encoding will
> > be appreciated.
>
> Check www.rulesemporium.com

Thanks. I've started checking that site and found some useful stuff.
Unfortunately, the main Wiki site at http://www.exit0.us seems to be
down, and has been for several days now. But I did figure out where I
was going wrong. I was trying to use a rule type of either body or uri.
What I've discovered, but never found mentioned in the docs, is that SA
normalizes, or decodes, the message before processing these rule types.
When I started using a rawbody type rule, the pattern I'd originally
tried actually worked.

So here's the rule I came up with:
rawbody MIME_ENCODED_URL        /[*\=2e(?:com|net|biz|info|cc|tv)]/i
describe MIME_ENCODED_URL       URL obfuscation attempt via MIME
encoding
score MIME_ENCODED_URL 1

I have the score set low while I test to make sure that mime encoded
urls are not more common than they seem so far.

Thanks again to everyone who responded.

Rob

-- 
If at first you don't succeed, skydiving is not for you.