I've attached an email which has an IMG tag with the
SCR pointing to some spammy graphic, while the text of
the actual message looks rather innocent. The SRC
value of the IMG has been written such that some of the
letters in the website name are escaped with HTML %##
codes. Also, at first glance the SRC value is
deceptively pointing to www.prerequisite.com, however
this is *NOT* where it is actually going. After closer
examination, you can see that there is an @ sign
following the phony website name, followed by a
half-encoded location to the real spammy web server.
The @ sign causes the www.prerequisite.com to be
submitted as the HTTP-USER for login purposes I would
A glance at the CHANGES-0.15 file says that bogofilter
now will decode escaped html, but that's not happening
here with bogolexer -p (this is a segment of the
bogolexer results from the email I've attached):
notice it does recognise the phony
www.prerequisite.com, but that the TRUE web server name
has been obscured with escape codes, and only decodes
to w.o, instead of the name of the real server.
Is this a bug?