3125 – [RFE] obfuscation character classes for rules

Bug 3125 - [RFE] obfuscation character classes for rules

Summary: [RFE] obfuscation character classes for rules

Status:	RESOLVED DUPLICATE of bug 4094

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 enhancement
Target Milestone:	3.1.0
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-03-05 07:53 UTC by Martin Kutschker
Modified:	2005-01-20 16:30 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
obfu.pl obfuscation rule generation script	text/plain			None	Chris Thielen
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Kutschker 2004-03-05 07:53:09 UTC

How abput custom character classes via precompiled Perl regexps:

In Perl you can do something like this (non-exhaustive list of obfuscations):
$a = qr/[aA4@]/
$e = qr/[eE3]/
$i = qr/[iI1|]/
$o = qr/[oO0]/
$W = qr/[\W_]?/

Example rule:
body FIORICET /\bF${W}${i}${W}${o}${W}r${W}${i}${W}c${W}${e}${W}t${W}\b/i
body MORTGAGE /\bm${W}${o}${W}r${W}t${W}g${W}${a}${W}g${W}${e}${W}\b/i

Test:
perl -e '$_="f_io:r|cet";$e=qr/[eE3]/;$i=qr/[iI|]/;$o=qr/[oO0]/;$W=qr/[\W_]?/;
print "match\n" if (/\bF${W}${i}${W}${o}${W}r${W}${i}${W}c${W}${e}${W}t\b/i)'

It could be handy if these obfuscation classes would be available for all regexp
rules (or at least subject, body and rawbody).

Alternatively let users define their own character classes via rules. Though the
names/syntax should be rather short to make it useful.

Comment 1 Chris Thielen 2004-03-05 08:45:16 UTC

If somebody wants to do something with this, I've already done some similar
legwork on this for my obfuscation rules generator (I use character classes but
also regexp groupings for multi-byte/multi-character replacements including HTML
entities).

I've attached the latest version of the generator script; the character mappings
start at line 137.

Comment 2 Chris Thielen 2004-03-05 08:47:35 UTC

Created attachment 1814 [details]
obfu.pl obfuscation rule generation script

Character replacements start at line 137.  The replacements are in hashes.  The
script uses the hashes to build character classes (later in the script, it
actually outputs the character classes and regexp groupings)

Hope this is useful...

Comment 3 Martin Kutschker 2004-03-05 09:42:52 UTC

Concerning obfusctaion through ASCII art:

D |)
M |\/|
Y ][

I found this recently and they seem to be missing (in attachment 1814 [details]). The
conversion code hash is rather hard to read with all those \ escaping hell.

Comment 4 Daniel Quinlan 2004-08-27 17:19:28 UTC

more accuracy and performance bugs going to 3.1.0 milestone

Comment 5 Daniel Quinlan 2005-01-21 01:30:05 UTC


*** This bug has been marked as a duplicate of 4094 ***