Gr33t1n6s @nd $alu+at:ons!

I'm trying to match on vaigra obfu'ed like this:  "Viaġra".  SA sends
the HTML through HTML::Entities::decode_entities which (on my system at
least) translates ġ to a unicode character.  It gets written out as
the 2-byte sequence: \xC4\xA1.

My question is, how do I match the entity in a reasonable manner?

None of the following match:
body /\x{121}/
body /\x{0121}/
body /\x{C4A1}/
body /\&\#289;/

This does match:
body /\xC4\xA1/

If I can, I would like to match on a range of HTML entities (for instance,
the obfu'ed G above is within a range of G-like entities: [Ĝ-ģ].

After I realized I wasn't matching using literal unicode characters, I
thought of a workaround for matching these entity ranges.  My assumption
was that adjacent HTML entities should translate to adjacent unicode
characters and thus their 2-byte representations would also be adjacent
(eg: \xC4[\xA0-\xAF]) but that assumption turns out to be wrong.

Also, I don't want to use rawbody, as mixing with html comments would then
easily defeat the obfu-detection.



Finally, does anyone know if decode_entities returns the same unicode
characters on every system or is it dependant on your locale (or
something)?  I'm running perl 5.8.0, by the way.

Thanks!

--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases:
http://www.sandgnat.com/cmos/


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to