... convert_unicode.c ...
Pavel Kankovsky
peak at argo.troja.mff.cuni.cz
Wed Jun 22 00:30:44 CEST 2005
On Mon, 20 Jun 2005, David Relson wrote:
> Attached is a list of 76 charsets in this month's spam. I don't have
> time to see what iconv_open( "from_charset", "UTF-8" ) thinks of them
> -- have to head to work.
The list is quite interesting. As far as I can tell, most "charsets" in
that list are bogus. Let's look at a few of them:
charset= <-- bogus
charset=big5
charset=%charset <-- bogus (*)
charset=cp-1252 <-- semibogus, should read windows-1252
charset=%custom_charset <-- bogus (*)
charset=default <-- bogus
charset=euc <-- semibogus, suffix (-kr, -jp) missing
charset=euc-kr
charset=euc-kr[ÇŃąšžî] <-- bogus
charset=gb2312
charset=iso-0145-4 <-- bogus
charset=iso-0151-6 <-- bogus
charset=iso-0237-6 <-- bogus
charset=iso-0408-1 <-- bogus
charset=iso-0501-5 <-- bogus
(*) It is obvious these two values were supposed to be replaced with
something. Probably by some random charset-like value. This suggests
spammers set bogus charset values intentionally.
> The solutions I can think of are all hacks
>
> ignore tokens for invalid charsets (when scoring and registering)
> don't register tokens from messages with invalid charsets
I think we should emulate the behaviour of common MUAs--read MS Outlook
(Express)--in such a situation. This is what spammers expect and this is
what they optimize their "products" for.
I guess MSOE assumes ASCII, 8859-1, or the charset of its current locale
(most likely but ASCII or perhaps 8859-1 might still be a reasonable
default value) when it encounters an unrecognized charset name.
> Of course, when the bogus charset name is seen (after registration as
> spam), it has a very high spam score -- effectively a red flag!
...assuming that bogus charset name in question is going to appear again.
Spammers might (and as observed above, there is a change they already do)
use random "nonces" as charset names to fool filters.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
More information about the bogofilter-dev
mailing list