On Mon, 17 Feb 2025, Michel Arboi wrote:
I received a phishing e-mail that contained this URL:
http://z0kr.com%2F%40@%E2%80%8Bz0kr.imonation.fr%E2%80%8B
%E2%80%8B = ZERO-WIDTH SPACE
Spamcop chokes on it and cannot decode the URL correctly.
I cannot imagine a innocuous use of this character in a URL. There are
probably many other dangerous Unicode characters.
Well, it can be triggered by bugs but even here it is toxic:
https://stackoverflow.com/questions/63187010/e2808b-appears-in-url-net-core
PS: is this the right place to submit spam samples?
The Users list would be better. Upload them to pastebin or something
similar and just post the URLs to that rather than the actual spamples.
That said, we do have some ZWNB rules but I'm not sure any of them are
looking in URLs specifically.
If you send me any samples you have, ideally zipped or .tar.gz with one
message per file, I'll check/develop rules and add them to my
masscheck spam corpus.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Adding kids to insanity does not fix the insanity,
it breaks the kids.
-----------------------------------------------------------------------
5 days until George Washington's 293rd Birthday
