On Fri, 2003-12-05 at 14:37, Chr. von Stuckrad wrote:
> Hi!
> 
> I just found a perfectly legitimate E-Mail
> which neighter contained Spam-Text nor any html
> in my Spambox, hit by two 'ofsucation checks'.
> 
> One I had generated with https://sandgnat.com/cmos/cmos.jsp
> in response to the ever increasing use of the Word 'curn',
> the other checks for 'too long or short html-tags'.
<snip>
> the HTML rule, and I *assume* that somewhere in in the  base64-code
> will be the 'seemingly ofuscated p*rn-word ...

Hi. With short obfu-checks such as curn you mentioned, false hits are
difficult to avoid on binary data such as (as I've experienced) jpgs. 
I'm guessing your hit was somwhere on the PDF or the word file.  The
body rules are run with attachments decoded.

I just released version 0h of CMOScript.  It has a new algorithm for
generating the gap pattern.  If the rule's source word is 3 characters
or less it will use a more restrictive gap pattern and should help tone
down the volume of false positives (I hope).


-- 
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases:
http://www.sandgnat.com/cmos/



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to