On Mon, 10 Dec 2018, Mark London wrote:
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.
https://pastebin.com/VURwmrrF
__UNICODE_OBFU_ASC hits that pretty well, but the FP avoidance for the
scored version was a bit too aggressive. Fixed.
I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is why
the message got a high spam rating. By default though, that rule is
disabled (score = 0). Without that, the email would have gotten through.
HTML_OBFUSCATE_90_100 gets no hits in the masscheck corpus. Potentially we
should set a fixed override score for it.
I've tweaked a couple of other rules that this hit that were either
testing-only or filtered out. It should score higher soon.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
5 days until Bill of Rights day
