Menu
▾
▴
[Assp-test] Big5 and dots in uri's
|
From: TR S. <ts...@oi...> - 2011-12-31 23:14:16
|
I am writing this about assp 1.9.1.9(0.0.00) but I expect it is true in 2.x as well. ASSP does not properly deal with the below active spams which are exploiting Big5 and MUA's behavior to get around filters. Big5 is a Chinese language character set that uses double-byte encoding. In messages, the ASCII period sign (2E) can be used as a domain name label seperator in a Big5 MIME part. I might add the domain below is on SURBL and is not currently being detected by ASSP because of this exploit. I hope this data will help close this exploit that ASSP does not detect. MUA's such as Outlook Express and Thunderbird support the encoded dot '。'(A1 43): http://cheng-xia5。info/ (see attached image for a hex view, it's an actual spam message). If this link is clicked, the open dot character is transformed to a regular '.'. These Big5 codes have the same effect (with corresponding unicode names*): 0xA143 IDEOGRAPHIC FULL STOP 0xA144 FULLWIDTH FULL STOP 0xA14F SMALL FULL STOP Tom http://unicode.org/Public/MAPPINGS/OBSOLETE/EASTASIA/OTHER/BIG5.TXT |