Folks:
I've started to see subject lines like this in spam:
Subject: =?utf-8?B?MTXilJwxOOKSj+WFjei0uemAgeWSqOivouS8gem5heS4k+WRmOOAkDE5?=
=?utf-8?B?OTE5MDAwNzTjgJHlhaXlj6PjgJAzMzY0NzjjgIJjb23jgJHoiY/mi7XppLg=?=
=?utf-8?B?5pyA6auYMzg4OOWkqeWkqei/mOWPr+aKoue6ouWMhe+8jOWwiuS6qw==?=
=?utf-8?B?54us56uL5b+r6YCf5a2Y5Y+W5LyY5YWI6YCa6YGTLui1hOmHkQ==?=
=?utf-8?B?5pu05a6J5YWo44CC?=
(paste it into a test message to let SA interpret it).
It has the fairly-common tactic of putting a spam website domain into the
message subject, but it has a new twist: it replaces the period with a
fairly-equivalent multibyte glyph.
Let's see if it succesfully pastes: 【336478。com】
I'm putting a rule in my sandbox to detect this, but I was wondering
whether the base URI parser should be made a little more aggressive in
looking for period-equivalent glyphs (and presumably converting them to
periods for URIBL lookups).
A quick test shows browsers (well, Firefox at least) are forgiving enough
to do the conversion if that's pasted into the location bar, so I'd
suggest SA should do the same.
Seeking thoughts before opening a feature bug...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
A good high-school education is still essential,
and college is where you go to get one. -- MiddleAgedKen
-----------------------------------------------------------------------
408 days since the first commercial re-flight of an orbital booster (SpaceX)
