Jason Hihn said:
But imagine this in a message:
--- start---
[javascript]
$cypher_text="dsfjhsjdfhsdfjksdhfskjfhsd.."
function decrypt(key, cypher_text){
/* do description */
document.writeln($plain_text)
}
[/javascript]
[body onload=decrypt("aasc", $cypher_text)]
--- finish ---
Now all your filters, Bayesian or not, will only work on the actual text
seen between start and finish. No filtering will be done of the "message" -
what the user sees. Furthermore, variable and function names are infinitely
variable, and what is not variable is standard html/js stuff and has
significant legit use.
This exists -- I think a search for SBL will throw up one spammer
(Merlin?) who writes this kind of polymorphic-style spam.
In SpamAssassin's ruleset, the use of a body onload attribute, or
Javascript decryptors, is an incredibly strong spam-sign -- because *no*
legit mail ever does this.
I think this may be one reason I haven't seen 1 spam that does this, since
about a year ago. ;)
--j.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg