3204 – new rule for JS disguised SPAM

Bug 3204 - new rule for JS disguised SPAM

Summary: new rule for JS disguised SPAM

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	2.63
Hardware:	Other other

Importance:	P5 normal
Target Milestone:	3.0.0
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-03-22 10:04 UTC by Dirk Mueller
Modified:	2004-03-23 12:35 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
spam sample	text/plain			None	Dirk Mueller
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Mueller 2004-03-22 10:04:38 UTC

Hi,  
 
we're getting a lot of JS-disguised spam lately. This might be a rule 
to detect it: 
 
full JS_DISGUISED_SPAM /Array\s*\([\d,\s\n\r]{1000,}/ 
describe JS_DISGUISED_SPAM JS-encrypted message (most likely SPAM) 
score JS_DISGUISED_SPAM 2.0

Comment 1 Dirk Mueller 2004-03-22 10:05:12 UTC

Created attachment 1866 [details]
spam sample

Comment 2 Dallas Engelken 2004-03-23 21:20:48 UTC

my JS rules hit on your sample just fine...

[root@mailgw root]# cat yourspam.txt  | spamc | head -40
MIME-Version: 1.0
Content-Type: multipart/mixed;
         boundary="----=_NextPart_000_0017_01C412E2.36A0E868"
X-Priority: 3
Subject: [SPAM-08.34]-
X-Spam-Score: 8.3
X-Spam-Flag: YES
X-Spam-Level: ********
X-Spam-Status: Yes, hits=8.3 required=4.0
X-Spam-Tests: DATE_MISSING=0.985,FROM_NO_LOWER=1.897,HTML_90_100=1.073,
        HTML_MESSAGE=0.001,IO_HTML_0_512=0.3,JS_ENCODE_1=0.5,JS_ENCODE_2=0.75,
        JS_ENCODE_FULL=2,PRIORITY_NO_NAME=0.831
X-Spam-Report:
        *  1.0 DATE_MISSING Missing Date: header
        *  1.9 FROM_NO_LOWER 'From' has no lower-case characters
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  1.1 HTML_90_100 BODY: Message is 90% to 100% HTML
        *  0.5 JS_ENCODE_1 BODY: Possible comma seperated ascii representations
        *  0.8 JS_ENCODE_2 BODY: Contains document.write - Javascript Spam
        *  0.3 IO_HTML_0_512 BODY: Less than 512 characters between html/body 
tags
        *  2.0 JS_ENCODE_FULL Uses Javascript ascii encoding to hide text
        *  0.8 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer


Here are the rules I have in my local.cf to combat javascript encodings... i 
think i posted these to the list a while back, and i do masscheck on new mail 
every week, and i have not seen a huge rise in javascript encoded spam, but i 
like to keep them in my cf just in case :)

anyways.. here are my rules if it matters.

rawbody  JS_ENCODE_1  /\b(?:\d{1,3}[\s\,]+){8}/
describe JS_ENCODE_1  Possible comma seperated ascii representations
score    JS_ENCODE_1  0.5

rawbody  JS_ENCODE_2  /document\.write/i
describe JS_ENCODE_2  Contains document.write - Javascript Spam
score    JS_ENCODE_2  0.8

meta     JS_ENCODE_FULL  (JS_ENCODE_1 && JS_ENCODE_2)
describe JS_ENCODE_FULL  Uses Javascript ascii encoding to hide text
score    JS_ENCODE_FULL  2.0

Comment 3 Justin Mason 2004-03-23 21:35:20 UTC

also hits on 

  0.040   0.0495   0.0000    1.000   0.94    0.01  T_JS_FROMCHARCODE

a recent addition ;)