relson at osagesoftware.com
Sat Sep 11 20:43:59 EDT 2004
On Sun, 12 Sep 2004 00:02:43 +0200 (CEST)
Pavel Kankovsky wrote:
> On Tue, 7 Sep 2004, Tom Anderson wrote:
> > Careful about /dev/null'ing JScript.Encode... it's a Microsoft
> > proprietary technology, [...]
> And this is a good and sufficient reason to stop it before it spreads
> like a contagious disease.
> Moreover, I do not think anyone has a legitimate reason to obfuscate
> (obfuscation is not encryption) email contents. Either the recipient
> is intended to see it, then there is no point in obfuscation, or the
> recipient is not intended to see, and then it should not be sent in
> the first place.
> JScript.Encode is good for spammers and malware. And perhaps for MS
> with its delusions of world domination. It is bad for anyone else.
> > It'd be better to decode it and treat it the same way as regular
> Well, JS is just another level of obfuscation. There is no reliable
> way to determine what the real visible contents of "JS-enabled HTML"
> is short of running the code in question.
> the same way (more or less). It should recognize their presence and be
> able to recognize them as strong spam indicators.
What I had in mind was a bit simpler. At present, bogofilter ignores
most html tags. It parses "a", "img", and "font" tags so that the
tokens within them go into scoring the message. I'm thinking of adding
"script" to that list, so that "JScript.Encode" and other such script
info would be included in the scoring of the message. It'd be a small
change and would help deal with this level of obfuscation. I'm not even
considering about decoding JScript.Encode (as is presently done with
base64, uuencode, QP, etc).
More information about the Bogofilter