I've had good results scoring for the combination of windows-1256 encoding
and quoted-printable. It pushes some junk over the top into spam.
Admittedly a message that is mainly in a Latin character set with a quote
from Arabic could be so encoded, so I don't give it a killer score, just a
bump.
In
On Wed, 21 Nov 2018 09:10:25 -0800 (PST)
John Hardin wrote:
>
> >> https://ruleqa.spamassassin.org/20181119-r1846888-n/__UNICODE_OBFU_ZW/detail
> >>
> >
> >
> > For this to work with 'normalize_charset 1', \x9d needs to be
> > replaced with (?:\x9d|\xe2\x80\x8c)
>
> That makes an *enormous*
On Tue, 20 Nov 2018, RW wrote:
On Mon, 19 Nov 2018 13:31:47 -0800 (PST)
John Hardin wrote:
On Mon, 19 Nov 2018, Joseph Brennan wrote:
Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
In windows-1256, the presence of =9D between characters under
decimal-128 is suspicious, reg
Pedro, I just checked a spample I have and it hits on the rule. Note, I do
not use normalize charset but just expanded the rule to allow for that
thanks to RW's post.
Regards,
KAM
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www
On Tue, 20 Nov 2018, RW wrote:
On Mon, 19 Nov 2018 13:31:47 -0800 (PST)
John Hardin wrote:
On Mon, 19 Nov 2018, Joseph Brennan wrote:
Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
In windows-1256, the presence of =9D between characters under
decimal-128 is suspicious, reg
On Mon, 19 Nov 2018 13:31:47 -0800 (PST)
John Hardin wrote:
> On Mon, 19 Nov 2018, Joseph Brennan wrote:
>
> > Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
> >
> > In windows-1256, the presence of =9D between characters under
> > decimal-128 is suspicious, regardless of Bitcoi
On Mon, 19 Nov 2018 15:38:58 -0500
Joseph Brennan wrote:
> Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
>
> In windows-1256, the presence of =9D between characters under
> decimal-128 is suspicious, regardless of Bitcoin. It seems like a
> simple rule but even rawbody does not
On Mon, 19 Nov 2018, Joseph Brennan wrote:
Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
In windows-1256, the presence of =9D between characters under decimal-128
is suspicious, regardless of Bitcoin. It seems like a simple rule but even
rawbody does not check quoted-printabl
On 19 Nov 2018, at 15:38, Joseph Brennan wrote:
Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
In windows-1256, the presence of =9D between characters under
decimal-128
is suspicious, regardless of Bitcoin. It seems like a simple rule but
even
rawbody does not check quoted-p
Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
In windows-1256, the presence of =9D between characters under decimal-128
is suspicious, regardless of Bitcoin. It seems like a simple rule but even
rawbody does not check quoted-printable patterns. Plugin maybe? Has this
already bee
On 11/19/2018 10:35 AM, users-digest-h...@spamassassin.apache.org wrote:
I ran it as-is, and it scored poorly.
After I manually de-borked the headers, and retested, it hit SA's
"OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests.
OBFU_BITCOIN was hit because the =9D chara
On 18 Nov 2018, at 14:30, Chip M. wrote:
Mark, is that the exact network image?
It cannot have been, as it was missing headers that any message of its
apparent lineage (all outlook.com) would have, including Content-Type as
you noted as well as MIME-Version and private headers that MS adds
Ditto to what John said, however, thanks for the spample Mark. :)
Mark, is that the exact network image?
If not, do you have access to it? If so, please pastebin it.
By "network image", I mean not-mangled by any post filter software.
Your posted spample is quoted-printable, and should have been
Kevin,
i think KAM_ZWNJ only triggers with "rawbody". Actual KAM.cf uses "body"...
does the SA body pre-processor removes nulls??
---PedroD
On Saturday, November 17, 2018, 1:41:28 AM GMT+1, Kevin A. McGrail
wrote:
Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf. P
On Sat, 17 Nov 2018 19:10:57 -0500
Mark London wrote:
> --_000_MWHPR14MB13279093501A88B114707EE3B0DD0MWHPR14MB1327namp_
> Content-Type: text/plain; charset="windows-1256"
So =9D is a zero-width non-joiner. With normalize_charset this can be
detected as the UTF-8 version seen before.
> Do=9D no=
On Sat, 17 Nov 2018, Mark London wrote:
Forwarded Message
Subject:[OFF-list] 9D character used in words to avoid detection
Date: Sat, 17 Nov 2018 15:42:08 -0600
To: Mark London
Mark, could you post a full spample to the SA list?
Erm, thanks, but it's much pre
Forwarded Message
Subject:[OFF-list] 9D character used in words to avoid detection
Date: Sat, 17 Nov 2018 15:42:08 -0600
From: Chip M.
To: Mark London
Mark, could you post a full spample to the SA list?
Thanks in advance!
"Chip" M.
---
John & Kevin - Thanks for the rules! This tactic was used in a porn
blackmail spam. Considering that we are currently are receiving a
large amount of those types of spams, it might be possible that this
tactic might catch on. Or not! We'll see. - Mark
On 11/17/2018 8:23 AM, users-diges
Mark London skrev den 2018-11-17 01:23:
Is there a way to define BODY rules, so that they will be triggered?
Thanks.
manuel train bayes, is the only help i can give, sorry
spammers want to be detected, so let them :=)
Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf. Please let
me know if those help.
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
On Fri, Nov 16, 2018 at 7:37 PM John Har
On Fri, 16 Nov 2018, Mark London wrote:
I just received a spam email with the 9D character placed inside of words,
that prevented my custom BODY rules from being hit. I.e.:
Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready
change=9Dd it.
Is there a way to define BOD
21 matches
Mail list logo
