On Tue, 25 Dec 2018, Kevin A. McGrail wrote:
John,
I am worried your replace tags are too generic. Is this replace tags file
new for the rules?
New for *what* rules?
The existing replace patterns already look for a lot of encoded accented
characters. There were just a bunch of missing UTF-8 code points that I
didn't add the last time I added sequences to this file. Check the SVN
revision history.
If it is new, we shoukd change the tags longer like <SA-A> so we don't
collide and add something to the UPGRADE file.
It's not new, per se, it's closing holes in the existing patterns.
Hohoho,
KAM
On Mon, Dec 24, 2018, 16:29 <[email protected] wrote:
Author: jhardin
Date: Mon Dec 24 21:29:41 2018
New Revision: 1849703
URL: http://svn.apache.org/viewvc?rev=1849703&view=rev
Log:
more Unicode obfuscation possibilities - many basic UTF-8 sequences were
missed
Modified:
spamassassin/trunk/rules/25_replace.cf
Modified: spamassassin/trunk/rules/25_replace.cf
URL:
http://svn.apache.org/viewvc/spamassassin/trunk/rules/25_replace.cf?rev=1849703&r1=1849702&r2=1849703&view=diff
==============================================================================
--- spamassassin/trunk/rules/25_replace.cf (original)
+++ spamassassin/trunk/rules/25_replace.cf Mon Dec 24 21:29:41 2018
@@ -27,32 +27,32 @@
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-replace_tag A
(?:[gra\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe6o0]|[\xce][\x86\x91\x94\x9b\xac\xb1]|[\xd0][\x90\xb0]|[\xd1][\xa6\xa7]|[\xd3][\x90\x91\x92\x93]|[\xe1][\x8e][\xaa])
-replace_tag B
(?:[b8]|[\xce][\x92\xb2]|[\xcf][\x90\xb8]|[\xd0][\x91\x92\xac\xb1\xb2]|[\xd1][\x8a\x8c\xa2\xa3]|[\xd2][\x8c\x8d])
-replace_tag C (?:[ck\xc7\xe7@
]|[\xc3][\x87]|[\xc4][\x86\x87\x88\x89\x8a\x8b\x8c\x8d]|[\xcf][\x82\x9a\x9b\xb2\xb9\xbe]|[\xd0][\xa1]|[\xd1][\x81]|[\xd2][\x80\x81\xaa\xab]|[\xd5][\x87]|&\#(?:1(?:0(?:10|17|2[123]|57|89)|1(?:52|53|94|95)|99)|2(?:31|6[2-9])|39[12]|x(?:3(?:f2|f9|fe)|4(?:21|41|80|81|aa|ab)));)
-replace_tag D (?:[d\xd0]|[\xd4][\x80\x81]|[\xd5][\xaa])
-replace_tag E
(?:[e3]|[\xc4][\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b]|[\xc8][\x84\x85\x86\x87\xa8\xa9]|[\xce][\x88\x95\xa3\xad\xb5\xbe]|[\xcf][\xb5]|[\xd0][\x80\x81\x84\x95\xb5]|[\xd1][\x90\x91\x94\xb3]|[\xd2][\xbc\xbd\xbe\xbf]|[\xd3][\x96\x97\xa9\xab]|[\xd4][\x90\x91]|[\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]|&\#(?:1(?:0(?:13|2[458]|45|77)|108|2(?:1[2-5]|3[89]|9[67]))|2(?:0[0-3]|3[2-5]|7[4-9]|8[0-3])|400|51[6-9]|5[58][23]|603|9(?:04|17|[34]1|4[19]));)
+replace_tag A
(?:[gra\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe6o0]|[\xc3][\x80\x81\x82\x83\x84\x85\xa0\xa1\xa2\xa3\xa4\xa5]|[\xc4][\x80\x81\x82\x83\x84\x85]|[\xce][\x86\x91\x94\x9b\xac\xb1]|[\xd0][\x90\xb0]|[\xd1][\xa6\xa7]|[\xd3][\x90\x91\x92\x93]|[\xe1][\x8e][\xaa])
+replace_tag B
(?:[b8]|[\xce][\x92\xb2]|[\xcf][\x90\xb8]|[\xc3][\x9f]|[\xc6][\x80\x81\x82\x83\x84\x85]|[\xd0][\x91\x92\xac\xb1\xb2]|[\xd1][\x8a\x8c\xa2\xa3]|[\xd2][\x8c\x8d])
+replace_tag C (?:[ck\xc7\xe7@
]|[\xc3][\x87\xa7]|[\xc4][\x86\x87\x88\x89\x8a\x8b\x8c\x8d]|[\xc6][\x87\x88]|[\xcf][\x82\x9a\x9b\xb2\xb9\xbe]|[\xd0][\xa1]|[\xd1][\x81]|[\xd2][\x80\x81\xaa\xab]|[\xd5][\x87]|&\#(?:1(?:0(?:10|17|2[123]|57|89)|1(?:52|53|94|95)|99)|2(?:31|6[2-9])|39[12]|x(?:3(?:f2|f9|fe)|4(?:21|41|80|81|aa|ab)));)
+replace_tag D
(?:[d\xd0]|[\xc3][\x90]|[\xc4][\x8e\x8f\x90\x91]|[\xc6][\x89\x8a]|[\xd4][\x80\x81]|[\xd5][\xaa])
+replace_tag E
(?:[e3]|[\xc3][\x88\x89\x8a\x8b\xa8\xa9\xaa\xab]|[\xc4][\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b]|[\xc8][\x84\x85\x86\x87\xa8\xa9]|[\xce][\x88\x95\xa3\xad\xb5\xbe]|[\xcf][\xb5]|[\xd0][\x80\x81\x84\x95\xb5]|[\xd1][\x90\x91\x94\xb3]|[\xd2][\xbc\xbd\xbe\xbf]|[\xd3][\x96\x97\xa9\xab]|[\xd4][\x90\x91]|[\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]|&\#(?:1(?:0(?:13|2[458]|45|77)|108|2(?:1[2-5]|3[89]|9[67]))|2(?:0[0-3]|3[2-5]|7[4-9]|8[0-3])|400|51[6-9]|5[58][23]|603|9(?:04|17|[34]1|4[19]));)
replace_tag F
(?:f|[\xcf][\x9c\x9d]|[\xd2][\x92\x93]|[\xd3][\xba\xbb]|[\xd4][\xb2]|[\xd5][\xa2])
-replace_tag G
(?:[gk]|[\xd2][\xa8\xa9]|[\xd4][\x8c\x8d]|[\xd6][\x81])
-replace_tag H
(?:h|[\xce][\x89\x97]|[\xcf][\xa6]|[\xd0][\x8a\x8b\x9d\xbd]|[\xd1][\x92\x9b]|[\xd2][\x94\x95\xa2\xa3\xa4\xa5\xba\xbb]|[\xd3][\x87\x88\x89\x8a]|[\xd4][\xbb]|[\xd5][\xab\xb0]|&\#(?:2(?:22[3-6]|9[2-5])|54[23]|1(?:0(?:53|85)|18[6-9]|8(?:0(?:8[89]|9[0-5])|1(?:38[89]|340)))|919);)
-replace_tag I
(?:[il|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef]|[\xc4][\xa8]|[\xc7][\x8f\x90]|[\xce][\x8a\x90\x99\xaa\xaf\xb9]|[\xcf][\x8a]|[\xd0][\x86\x87]|[\xd1][\x96\x97]|[\xd3][\x80\x8f]|[\xd5][\xac]|&\#(?:1(?:03[01]|11[01]|216|231)|2(?:0[4-7]|16|3[6-9]|9[6-9])|3(?:0[0-5])|4(?:0[67]|6[34])|52[0-3]);)
-replace_tag J
(?:j|[\xcf][\xb3]|[\xd0][\x88]|[\xd1][\x98]|[\xd5][\xb5])
-replace_tag K
(?:k|[\xc7][\xa8\xa9]|[\xce][\x9a\xba]|[\xd0][\x8c\x9a\xba]|[\xd1][\x9c]|[\xd2][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xd3][\x83\x84]|[\xd4][\x9e\x9f]|&\#(?:31[0-2]|4[08][89]|9(?:22|54|75)|1(?:0(?:36|50|82)|1(?:16|7[89]|8[0-5])|219|220|31[01]));)
+replace_tag G
(?:[gk]|[\xc4][\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3]|[\xd2][\xa8\xa9]|[\xd4][\x8c\x8d]|[\xd6][\x81])
+replace_tag H
(?:h|[\xc4][\xa4\xa5\xa6\xa7]|[\xce][\x89\x97]|[\xcf][\xa6]|[\xd0][\x8a\x8b\x9d\xbd]|[\xd1][\x92\x9b]|[\xd2][\x94\x95\xa2\xa3\xa4\xa5\xba\xbb]|[\xd3][\x87\x88\x89\x8a]|[\xd4][\xbb]|[\xd5][\xab\xb0]|&\#(?:2(?:22[3-6]|9[2-5])|54[23]|1(?:0(?:53|85)|18[6-9]|8(?:0(?:8[89]|9[0-5])|1(?:38[89]|340)))|919);)
+replace_tag I
(?:[il|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef]|[\xc3][\x8c\x8d\x8e\x8f\xac\xad\xae\xaf]|[\xc4][\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1]|[\xc7][\x8f\x90]|[\xce][\x8a\x90\x99\xaa\xaf\xb9]|[\xcf][\x8a]|[\xd0][\x86\x87]|[\xd1][\x96\x97]|[\xd3][\x80\x8f]|[\xd5][\xac]|&\#(?:1(?:03[01]|11[01]|216|231)|2(?:0[4-7]|16|3[6-9]|9[6-9])|3(?:0[0-5])|4(?:0[67]|6[34])|52[0-3]);)
+replace_tag J
(?:j|[\xc4][\xb4\xb5]|[\xcf][\xb3]|[\xd0][\x88]|[\xd1][\x98]|[\xd5][\xb5])
+replace_tag K
(?:k|[\xc4][\xb6\xb7\xb8]|[\xc7][\xa8\xa9]|[\xce][\x9a\xba]|[\xd0][\x8c\x9a\xba]|[\xd1][\x9c]|[\xd2][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xd3][\x83\x84]|[\xd4][\x9e\x9f]|&\#(?:31[0-2]|4[08][89]|9(?:22|54|75)|1(?:0(?:36|50|82)|1(?:16|7[89]|8[0-5])|219|220|31[01]));)
replace_tag L
(?:[il|!1\xa3]|[\xc4][\xb9\xba\xbb\xbc\xbd\xbe\xbf]|[\xc5][\x80\x81\x82]|[\xc8][\xbd]|[\xd3][\x80\x8f]|[\xd4][\xbc]|[\xd5][\xac]|[\xd6][\x82]|&\#(?:1340|3(?:1[3-9]|2[0-2])|573|671|x53c|76);)
replace_tag M
(?:m|rn|[\xd0][\x9c\xbc]|[\xd2][\xa7]|[\xd3][\x8d\x8e])
-replace_tag N
(?:[n\xd1\xf1]|[\xd0][\x98\x99\x9f\xb8\xb9\xbb\xbf]|[\xd1][\x9d]|[\xd2][\x8a\x8b]|[\xd3][\x86\xa2\xa3\xa4\xa5]|[\xd4][\xa5]|[\xd5][\x88\x8c\xa4\xa8\xb2\xb8\xbc]|[\xd6][\x80])
-replace_tag O
(?:[go0\xd2\xd3\xd4\xd5\xd6\xd8\xf0\xf2\xf3\xf4\xf5\xf6\xf8]|[\xd0][\x9e\xae\xbe]|[\xd1][\xba\xbb]|[\xd3][\xa6\xa7\xa8\xaa]|[\xd4][\x9a]|[\xd5][\x95\xae]|[\xd6][\x85]|[\xd7][\xa1])
+replace_tag N
(?:[n\xd1\xf1]|[\xc3][\x91\xb1]|[\xc5][\x83\x84\x85\x86\x87\x88\x89\x8a\x8b]|[\xd0][\x98\x99\x9f\xb8\xb9\xbb\xbf]|[\xd1][\x9d]|[\xd2][\x8a\x8b]|[\xd3][\x86\xa2\xa3\xa4\xa5]|[\xd4][\xa5]|[\xd5][\x88\x8c\xa4\xa8\xb2\xb8\xbc]|[\xd6][\x80])
+replace_tag O
(?:[go0\xd2\xd3\xd4\xd5\xd6\xd8\xf0\xf2\xf3\xf4\xf5\xf6\xf8]|[\xc3][\x92\x93\x94\x95\x96\x98\xb2\xb3\xb4\xb5\xb6\xb8]|[\xc5][\x8c\xbd\xbe\xbf\x90\x91]|[\xd0][\x9e\xae\xbe]|[\xd1][\xba\xbb]|[\xd3][\xa6\xa7\xa8\xaa]|[\xd4][\x9a]|[\xd5][\x95\xae]|[\xd6][\x85]|[\xd7][\xa1])
replace_tag P
(?:[p\xfe]|[\xd0][\xa0]|[\xd1][\x80]|[\xd2][\x8e\x8f]|[\xd4][\x97]|[\xd5][\xa9]|[\xd6][\x84])
replace_tag Q (?:q|[\xd4][\x9a\x9b\xb3]|[\xd5][\xa3\xa6])
replace_tag R
(?:r|[\xc5][\x94\x95\x96\x97\x98\x99]|[\xc8][\x90\x91\x92\x93]|[\xd0][\x93\xaf]|[\xd1][\x8f\x93]|[\xd2][\x90\x91\x93]|[\xd3][\xb6\xb7]|[\xd4][\xb8\xbb]|[\xd5][\x90\x92]|[\xd6][\x80]|&\#(?:1(?:071|103)|34[0-5]|422|5(?:2[89]|3[01]|8[89])|6(?:3[67]|40));)
-replace_tag S
(?:[sz\xa6\xa7]|[\xd0][\x85]|[\xd1][\x95]|[\xd5][\x8f])
-replace_tag T
(?:t|[\xd0][\x93\xa2]|[\xd1][\x82]|[\xd2][\x90\xac\xad]|[\xd3][\xb6]|[\xd4][\xb5\xb7]|[\xd5][\x92\xa7])
-replace_tag U
(?:[uv\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]|[\xd0][\x8f\xa6]|[\xd1][\x86\x9f]|[\xd4][\xb1\xbf]|[\xd5][\x84\x8d\xb4\xb6\xbd\xbe]|[\xd6][\x87])
+replace_tag S
(?:[sz\xa6\xa7]|[\xc5][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xd0][\x85]|[\xd1][\x95]|[\xd5][\x8f])
+replace_tag T
(?:t|[\xc5][\xa2\xa3\xa4\xa5\xa6\xa7]|[\xd0][\x93\xa2]|[\xd1][\x82]|[\xd2][\x90\xac\xad]|[\xd3][\xb6]|[\xd4][\xb5\xb7]|[\xd5][\x92\xa7])
+replace_tag U
(?:[uv\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]|[\xc3][\x99\x9a\x9b\x9c\xb9\xba\xbb\xbc]|[\xc5][\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3]|[\xd0][\x8f\xa6]|[\xd1][\x86\x9f]|[\xd4][\xb1\xbf]|[\xd5][\x84\x8d\xb4\xb6\xbd\xbe]|[\xd6][\x87])
replace_tag V (?:[vu]|\\\/|[\xd1][\xb4\xb5\xb6\xb7])
-replace_tag W
(?:[wv]|[\xd0][\xa8\xa9]|[\xd1][\x88\x89\xa1\xb0\xb1\xbf]|[\xd4][\x9c\x9d]|[\xd5][\xa1\xba])
+replace_tag W
(?:[wv]|[\xc5][\xb4\xb5]|[\xd0][\xa8\xa9]|[\xd1][\x88\x89\xa1\xb0\xb1\xbf]|[\xd4][\x9c\x9d]|[\xd5][\xa1\xba])
replace_tag X
(?:[x\xd7]|><|[\xd0][\x96\xa5\xb6]|[\xd1][\x85]|[\xd2][\x96\x97\xb2\xb3]|[\xd3][\x81\x82\x9c\x9d\xbc\xbd\xbe\xbf])
-replace_tag Y
(?:[y\xff\xfd\xa5j]|[\xd0][\x8e\xa3]|[\xd1][\x83\x87\x9e]|[\xd2][\xae\xaf\xb0\xb1\xb6\xb7\xb8\xb9]|[\xd3][\x8b\x8c\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5]|[\xd4][\xbf]|[\xd5][\x8e\xaf\xbe])
-replace_tag Z [zs]
+replace_tag Y
(?:[y\xff\xfd\xa5j]|[\xc3][\x9d\xbd\xbf]|[\xc5][\xb6\xb7\xb8|[\xd0][\x8e\xa3]|[\xd1][\x83\x87\x9e]|[\xd2][\xae\xaf\xb0\xb1\xb6\xb7\xb8\xb9]|[\xd3][\x8b\x8c\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5]|[\xd4][\xbf]|[\xd5][\x8e\xaf\xbe])
+replace_tag Z (?:[zs]|[\xc5][\xb9\xba\xbb\xbc\xbd\xbe])
replace_tag IMG (?:jpe?g|gif|png)
replace_tag SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
replace_tag WS
(?:=?\s|[\xe2](?:[\x80][\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\xaf]|[\x81][\x9f])|&(?:\#(?:8(?:19[2-9]|20[0-5]|239|287)|160|xa0)|(?:e[nm]|nb|thin)sp);)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Today: Christmas
