[spambayes-dev] Another trick?
Skip Montanaro
skip at pobox.com
Mon Oct 27 12:21:23 EST 2003
(originally sent 11 Oct, but it bounced, then sat...)
Got a message (attached including debug evidence) today which scored 0.15
for me. It consistend of a multipart MIME message (text/plain followed by
text/html). The text/plain stuff was innocuous. The text/html part had a
small amount of text and a doubly-encoded URL. It started out like:
http://uh%65rn%61ndez%38@butin%66a%63t.co%6D/%63/i%72%6F%6E.%68t%6Dl?roundup=3D5-KgE
After replacing the numeric entities I got:
http://uh%65rn%61ndez%38@butin%66a%63t.co%6D/%63/i%72%6F%6E.%68t%6Dl?roundup=3D5-KgE
After replacing the HTML encoded characters, I was left with:
http://uhernandez8@butinfact.com/c/iron.html?roundup=3D5-KgE
As you might imagine, this did a fairly good job of obscuring clues in the
URL. It might make sense to do a reasonable amount of decoding of HTML
before splitting into tokens.
Skip
-------------- next part --------------
An embedded message was scrubbed...
From: Williams <courtney_1100 at lycos.com>
Subject: Lo-ng (and Stro'ng al)l _Night vhqh_cc
Date: Thu, 09 Oct 2003 11:09:57 -0400
Size: 3615
Url: http://mail.python.org/pipermail/spambayes-dev/attachments/20031027/020f3bdb/attachment.mht
More information about the spambayes-dev
mailing list