On Sat, 12 May 2018, John Hardin wrote:
On Sat, 12 May 2018, RW wrote:
On Sat, 12 May 2018 13:11:06 -0700 (PDT)
John Hardin wrote:
On Sat, 12 May 2018, RW wrote:
On Sat, 12 May 2018 10:24:32 -0700 (PDT)
John Hardin wrote:
It has the fairly-common tactic of putting a spam website domain
into the message subject, but it has a new twist: it replaces the
period with a fairly-equivalent multibyte glyph.
I looked it up and it's an "Ideographic Full Stop", the Chinese
equivalent of a full stop. Unfortunately it's not something that
can be punished for just being there.
I'm not proposing that. I'm proposing the URI parser should recognize
"Ideographic Full Stop" (and potentially other equivalent glyphs if
there are any) as equivalent to an ASCII period.
I know, but you did say you were putting a rule in your sandbox.
Just to see how prevalent that practice actually is. It's a subrule for now.
Seems to be fairly useful:
ruleqa.spamassassin.org/20180520-r1831929-n/__UNICODE_OBFU_URI_DOM/detail
Seems to be 100% correlation with an empty body, so scored rule:
http://ruleqa.spamassassin.org/20180520-r1831929-n/UNICODE_OBFU_DOM_NO_BODY/detail
I'd say that may be a reasonable code change.
heh. Just today I got one with the unicode ideogram for "dot, speck, ...":
{554628点com}
Rule updated. Not sure if we want to include that one in the parser,
though.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Journalism is about covering important stories.
With a pillow, until they stop moving. -- David Burge
-----------------------------------------------------------------------
416 days since the first commercial re-flight of an orbital booster (SpaceX)
