filter evasion
John McCain
jmccain at layer3al.com
Fri Nov 7 01:22:21 CET 2003
On Thursday 06 November 2003 05:30 pm, David Relson wrote:
> John,
>
> Is this happening in text labeled as html or as plain text?
As in within a proper html body in a real html formatted message? Yes.
> If it's
> html text, the "<!--ham-->" should be ignored and bogofilter sees
> "spam".
That is correct. But if the text obfuscation is an invalid closing tag:
sp</ham>am
rather than an html comment:
sp<!--ham-->am (or) sp<!ham>am
Bogofilter sees three tokens, sp, ham, and am. Seeing "ham" (my example hammy
word), it scores the message ham.
>In plain text, bogofilter will divide the input according to
> special characters, see "sp", "ham", and "am" -- and ignore the
> character pairs because it ignores tokens shorter than three characters.
Yes, but failing to assemble the word "spam" (in this case, the example
"spammy" word), the filter fails to recognize the message.
> If you're seeing behavior other than I've described, please gzip the
> original message and send it to me.
Will do.
> By the way, are you _really_ seeing tokens "sp" and "am"? If so, are
> you running pi's lexer?
I used the lexer to tell this was happening.
>
> Thanks.
>
> David
>
> ---------------------------------------------------------------------
> FAQ: http://bogofilter.sourceforge.net/bogofilter-faq.html
> To unsubscribe, e-mail: bogofilter-unsubscribe at aotto.com
> For summary digest subscription: bogofilter-digest-subscribe at aotto.com
> For more commands, e-mail: bogofilter-help at aotto.com
More information about the Bogofilter
mailing list