spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <kmcgr...@apache.org>
Subject Re: 9D character used in words to avoid detection.
Date Tue, 20 Nov 2018 19:36:10 GMT
Pedro, I just checked a spample I have and it hits on the rule.  Note, I do
not use normalize charset but just expanded the rule to allow for that
thanks to RW's post.

Regards,
KAM
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Sun, Nov 18, 2018 at 1:40 PM Pedro David Marco <pedrod_marco@yahoo.com>
wrote:

> Kevin,
>
> i think KAM_ZWNJ only triggers with "rawbody".  Actual KAM.cf uses
> "body"...
>
> does the SA body pre-processor removes nulls??
>
> -------
> PedroD
>
> On Saturday, November 17, 2018, 1:41:28 AM GMT+1, Kevin A. McGrail <
> kmcgrail@apache.org> wrote:
>
>
> Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf.  Please
> let me know if those help.
> --
> Kevin A. McGrail
> VP Fundraising, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>
> On Fri, Nov 16, 2018 at 7:37 PM John Hardin <jhardin@impsec.org> wrote:
>
> On Fri, 16 Nov 2018, Mark London wrote:
>
> > I just received a spam email with the 9D character placed inside of
> words,
> > that prevented my custom BODY rules from being hit.  I.e.:
> >
> > Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr
> a=9Dlready
> > change=9Dd it.
> >
> > Is there a way to define BODY rules, so that they will be triggered?
> > Thanks.
>
> No, that would be way too much work; take a look at __UNICODE_OBFU_ZW in
> my sandbox. It isn't performing well in masschecks so I expect this tactic
> isn't widespread (yet?)
>
> I suppose I should expose it as scored in case it becomes popular...
>
>
> --
>   John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
>   jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>    From the Liberty perspective, it doesn't matter if it's a
>    jackboot or a Birkenstock smashing your face.         -- Robb Allen
> -----------------------------------------------------------------------
>   596 days since the first commercial re-flight of an orbital booster
> (SpaceX)
>
>

Mime
View raw message