Re: uri test fails with one mail

11 Feb 2004 06:44:39 -0000 

On Tue, 10 Feb 2004, Herbert Straub wrote:

> Herbert Straub wrote:
>
> > I observed, that my uri test /imteresting\.com/i fails. I check this
> > also with spamassassin -D rulesrun=255. The mail containig the
> > following URI <a
> > href=3d"http://www=2eimteresting=2ecom/at/1/view=2ehtml";>
>
> I searched the spamassassin-talk Mail Archiv and found the Thread
> "Obfusticated URI?".  See:
> http://www.mail-archive.com/[email protected]/msg29815.html
> I think this is the same problem, with the =2e. But i don't understand
> the statement "and is decoded correctly by spamassassing, before the URI
> rules.".  Should i write
>
> uri HS_BLOCK /imteresting=2[Ee]com\//i
>
> which matches, instead of
>
> uri HS_BLOCK /imteresting\.com\//i
>
> If i read the mail with mozilla-mail or display the message file direct
> with mozilla browser, then the =2e seems to be convertet to "." for the
> whole file. I uploaded the message to my homepage:
> http://members.aon.at/hstraub/linux/message
>
> What are wrong?
>
> Herbert

This issue has already been discussed earlier on this list. (actually
on its previous incarnation ;).

The problem is in a perversion of the Base64 encoding standard.
That "=2E" is a Base64 encoded period. The MIME RFC explictly states
that Base64 encoding -must- use UPPERCASE HEX characters in its
values, thus "=2E" is legit, but "=2e" is not.

SA will automatically decode proper Base64 messages before applying
rules. So a raw "=2E" will never be seen, it gets turned into '.'
but SA does not touch improper Base64, thus not decoding that "=2e"
garbage and so your normal URI rules will not match.

The MIME RFC states that a client -may- choose to attempt to decode
the lowercase garbage and present that to the user. That's why
the message looks OK when you view it via Mozilla, Eudora, OutHouse,
etc.

There's been discussion of modifying SAs Base64 decoder to make it
more relaxed and handle the perverted cruft.
In the mean time, it might make an interesting rule to look for those
"=2e"s, they indicate either a very broken client or a spammer trying to
foil SA. ;)

Dave

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Reply via email to