-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ron, is this a worm, or spam? that's a MSIE exploit, from what I can find on the web. If it's spam, we need to enhance our HTML parser to pick up the "data" attribute as a href. if that's the case, could you open a bug on bugzilla.SpamAssassin.org? - --j. Bob Apthorpe writes: > Hi, > > On Thu, 20 May 2004, Ron Snyder wrote: > > > I'm getting a bunch of virus alerts from mcafee for "Exploit-objectdata", > > and I'm pretty sure the stuff below is what's triggering it. The text in > > the sendmail data file (pulled straight from the df*) is exactly as you see > > it below (including the '=' in the right column), with the exception that > > I've changed "object data" to "xxxx" in order to hopefully avoid any other > > alerts that folks might have. > > > > > > </font></CENTER><xxxx=3D"http://&#= > > 119;ww.fatbonusc&#= > > 97;sino.com/pag= > > 01;.php"> > > > > > > Are there programs that can be used to decode this, so I can see exactly > > what this converts to w/o doing it by hand? > > Is this actually an attack? > > Try this one-liner: > > cat sample_spam.txt | spamassassin -d | \ > perl -MHTML::Entities -pe 'decode_entities($_);' | less > > The above translates to > > </font></CENTER><xxxx=3D"http://www.fatbonuscasino.com/page.php";> > > The -n and -p flags to perl are very helpful when doing crazy one-liners > like this. Also see man pages for xargs and cut. > > hth, > > -- Bob -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFArcAZQTcbUG5Y7woRAqkpAKCAc4dPb9TTLuIy91ir86qnX9rq6ACfUIpf vtm2i1XxPpNtRfKDVcFDynA= =YK8c -----END PGP SIGNATURE-----
