- 论坛徽章:
- 1
|
原帖由 vyouzhi 于 2007-3-13 10:39 发表
to abel 大哥
你忘了一件事,你研究的都是垃圾邮件的,你可能没有研究过正常邮件
如果正常邮件中都是html镶入图片的,那么cid又是如何变化的呢?
这个你应该没研究过吧,就好像我自己的规则一条,我把 ...
1. 我認為正常的 html 含圖片郵件根本就不太會出現 cid: 這種東西
2. 你認為正常的郵件就是真正的 spamer 要做的事,他就是要讓你覺得正常,這也是常見的手法
3. SA rawbody 這些我了解,但是如果加上 multi-part ,html 的變化或換行控制,那就不一定了,而且一些
s/mime 的技巧也可以 break 這個東西,那是因為你前面說不用 SA 只用一般的 pattern 所以我才講
multi-part 的東西
Example:
在 SA 中加入
- rawbody IMG_CID /img.*cid/i
- describe IMG_CID image src use cid
- score IMG_CID 100.0
- # "CRITICAL INVESTOR ALERT!" image spam - added dynamic image size
- rawbody __IMG_CID1 /img /i
- rawbody __IMG_CID2 /src.*cid/i
- meta LOCAL_CRIT_INVEST_IMG (__IMG_CID1 && __IMG_CID2)
- score LOCAL_CRIT_INVEST_IMG 100.0
- describe LOCAL_CRIT_INVEST_IMG BODY: Contains image cid pattern
- full IMG_CID3 /img.*cid/i
- describe IMG_CID3 image src use cid
- score IMG_CID3 100.0
- body IMG_CID4 /img.*cid/i
- describe IMG_CID4 image src use cid
- score IMG_CID4 100.0
复制代码
Spam Pattern:
- -----=_NextPart_001_0011_01C7641A.6A5BD900
- Content-Type: text/html;
- charset="windows-1250"
- Content-Transfer-Encoding: quoted-printable
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
- <HTML><HEAD>
- <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-125=
- 0">
- <META content=3D"MSHTML 6.00.2900.1106" name=3DGENERATOR>
- <STYLE></STYLE>
- </HEAD>
- <BODY bgColor=3D#ffffff>
- <DIV><FONT FACE=3D"Arial, Verdana" size=3D2>Hullo, Peter, she replied faint=
- ly, squeezing herself as small as blew open as of old, and Peter dropped on=
- the floor. think of anything to say, she simply bowed, and took the thimbl=
- e, dotage, knowing neither the crime imputed her, nor its punishment;</FONT=
- ></DIV>
- <DIV><FONT size=3D2><IMG alt=3D"" hspace=3D0 src=3D"=43=
- =
- =
- =
- =49
- =
- =44:0013=
- 01c7641a$6a5bd9=
- 00$086a7544@nolo" align=3Dbaseline border=3D0></FONT></DIV>
- <DIV><FONT FACE=3D"Arial, Verdana" size=3D2>By this time she had found her =
- way into a tidy little room with antipathy of her brother; the similarity o=
- f their dispositions made with an inherent brightness; the greater stars we=
- re burning in their began to cry again, for she felt very lonely and low-sp=
- irited.</FONT></DIV>
复制代码
which one matchs the rules ?
結果是沒有
Report:
- pts rule name description
- ---- ---------------------- --------------------------------------------------
- 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
- -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
- [score: 0.0071]
- 0.0 HTML_MESSAGE BODY: HTML included in message
- 1.9 DNS_FROM_RFC_BOGUSMX RBL: Envelope sender in bogusmx.rfc-ignorant.org
- 5.0 RCVD_IN_T1_RBL RBL: this IP listed by t1.dnsbl.net.au
- [190.44.109.134 listed in t1.dnsbl.net.au]
- 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
- [190.44.109.134 listed in sbl-xbl.spamhaus.org]
复制代码
後兩個是我自己加上去的 RBL, 所以這個例子才能被檔下來,其他的什麼 smtp check (這也不過是思兄或
163 的做法而以)它都通過了才來到SA 的部份,如果照一般的 預設的 SA,就算加了 cid 那段也檔不下來
這封 spam 還有 SPF 記錄呢 ! (這個壇子誰有建 SPF 呀,我看不超過個位數),連 263 都沒有,這也算專業?
- orbweb.net "v=spf1 ip4:38.113.1.0/24 ip4:38.113.20.0/24 ip4:65.254.224.0/19 ?all"
复制代码
4. js/css 的 spam 控制方法以後一定會出現,因為這個可以有效對抗常用的 pattern match 手段, 用程式
來控制肯定讓你連 match 的機會都沒有 |
|