Test of Mailing List

Mike Wallace mike at mlrw.com
Fri Jul 17 18:41:46 IST 2009


I know it's strange that I'm only blocked on the one message thread.

Anyway, I ended subscribing to the spamassassin mailing list and got  
the following rule (which has my rule name instead of the original one  
that was posted):

# Rule to find URI obfuscation
body		__MED_OB /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:] 
[:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?: 
[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:] 
[:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body		__MED_NOT_OB /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org) 
\b/i
meta		URI_OBFUSCATED (__MED_OB && ! __MED_NOT_OB)
describe		URI_OBFUSCATED Obfuscated URI
score		URI_OBFUSCATED 6.0

It works on every example I have found so far.

Mike

On Jul 17, 2009, at 1:16 PM, Mark Sapiro wrote:

> On Thu, Jul 16, 2009 at 11:31:01AM -0400, Mike Wallace wrote:
>> I've tried GMail and my ISP's web mail and still having problems
>> posting to the message thread "Re: Tiny text only spam (semi OT)".
>
>
> At this point, my guess is something in your message is causing it
> to be spam filtered at the receiving end (lists.mailscanner.info).
> Although if that's the case, I can't explain why this one got
> through.
>
>
>> Here is the message body that I tried to send:
>>
>>
>>
>> I found three more obfuscated URI examples that weren't caught by
>> Bernard's rules:
>>
>>
>> 1)  !.www_domain_com
>> 2) .www+domain+net
>> 3)    .www[dot]domain[dot]com
>>
>> I'm not a regex expert so I don't know how to modify his rules.
>>
>> Can anyone give me a hand?
>
>
> Here's the regexp I'm using
>
> /\bwww(?:\[dot\]|[ \-+_.]+)\w+\.?(?:\[dot\]|[ \-+_])[ _\-+.]*[a-z] 
> {2,4}\b/i
>
> It gets all the above and the original ones too. It is not hard to
> make up 'valid' domains that this regexp will match, but in practice
> I haven't seen any FPs.
>
> -- 
> Mark Sapiro mark at msapiro net       The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
> This message has been scanned for viruses and dangerous content by  
> MailScanner, and is believed to be clean.
>



More information about the MailScanner mailing list