filter evasion
John McCain
jmccain at layer3al.com
Fri Nov 7 16:43:02 CET 2003
On Thursday 06 November 2003 07:09 pm, David Relson wrote:
> ### here's my very simple test message ###
>
> [relson at osage src]$ cat msg.html.1106.html
> Content-Type: text/html
>
> sp<!ham>am
>
> ### and here's what bogolexer thinks of it ###
>
> [relson at osage src]$ bogolexer -p < msg.html.1106.html
> head:Content-Type
> head:text
> head:html
> spam
Forgive me if we've been over this, but it seems I am having trouble getting
my point across.
Ok. <!this_is_an_html_comment> </this_is_an_invalid_html_closing_tag>
Html parsers, such as those in e-mail readers, will disregard an invalid html
closing tag. Therefore, they can functionally work as comments even though
bogofilter doesn't regard them as such.
So, if I am Evil Spammer, and I am trying to use the word "ham" in non-eyeball
space to confuse bogofilter, I can do this:
sp</ham>am
Try your test as above, except replace the bang (!) with a foward slash (/),
transforming it from a comment into an html closing tag.
More information about the Bogofilter
mailing list