What are the Pseudowords built into POPFile and how do they work?

Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
faq:pseudowords [2008/02/08 18:49] – external edit 127.0.0.1faq:pseudowords [2013/11/05 13:58] (current) – external edit 127.0.0.1
Line 21: Line 21:
  ! XXX can be any kind of header that might or should be used in an email, e.g, Date:, Subject:, but also less common ones such as Precedence: or List-Unsubscribe.  ! XXX can be any kind of header that might or should be used in an email, e.g, Date:, Subject:, but also less common ones such as Precedence: or List-Unsubscribe.
  ? html:authorization  ? html:authorization
- !another way to conceal URLs is with the authorization syntax http://[email protected] will not get you to one of microsoft's sites, but to somewhereelse.com+ !another way to conceal URLs is with the authorization syntax, e.g. **%%http://[email protected]%%** will not get you to one of microsoft's sites, but to **somewhereelse.com**
  ? html:backcolorXXX  ? html:backcolorXXX
  ! marks the background color of a html message.  ! marks the background color of a html message.
Line 27: Line 27:
  ! gets set when a message uses low contrast between foreground and background. Possibly to hide certain words.  ! gets set when a message uses low contrast between foreground and background. Possibly to hide certain words.
  ? html:comment  ? html:comment
- ! HTML comments can be used to hide words from dumb filters, while users get to see them just fine: VIA<!--thisisacomment-->GRA.+ ! HTML comments can be used to hide words from dumb filters, while users get to see them just fine:\\ 
 +VIA<!--thisisacomment-->GRA.
  ? html:cidsrc  ? html:cidsrc
  ! image source referencing an attachment by its cid  ! image source referencing an attachment by its cid
Line 57: Line 58:
  ! This one works just like the comment trick. Instead of placing a comment inside a word, spammers use invalid (thought up) html tags inside the word. The effect is the same.  ! This one works just like the comment trick. Instead of placing a comment inside a word, spammers use invalid (thought up) html tags inside the word. The effect is the same.
  ? html:numericentity  ? html:numericentity
- ! is set when a message contains a html numeric entity, like &amp;#86;. Numeric entities can be used to display special characters, like the Euro symbol. But they also can be used for normal characters, when spammers are trying to hide give-away words from filters. E.g. this spells 'VIAGRA': &amp;#86;&amp;#73;&amp;#65;&amp;#71;&amp;#82;&amp;#65;+ ! is set when a message contains a html numeric entity, like &amp;#86;. Numeric entities can be used to display special characters, like the Euro symbol. But they also can be used for normal characters, when spammers are trying to hide give-away words from filters. E.g. this spells 'VIAGRA': &amp;#86;&amp;#73;&amp;#65;&amp;#71;&#82;&amp;#65;
  ? html:td  ? html:td
  ! this one keeps track of the number of html table cells in an email. Usually, emails are just paragraphs of text. When they contain tables and when those tables contain many cells, something different may be going on.  ! this one keeps track of the number of html table cells in an email. Usually, emails are just paragraphs of text. When they contain tables and when those tables contain many cells, something different may be going on.
Line 65: Line 66:
  ! If a message has a mime-encoded attachment, POPFile stores the file name of the attachment in this pseudoword.  ! If a message has a mime-encoded attachment, POPFile stores the file name of the attachment in this pseudoword.
  ? spamassassin:<various>  ? spamassassin:<various>
- ! SpamAssassin tests+ %%SpamAssassin%% tests
  ? spamassassinlevel:spam  ? spamassassinlevel:spam
- ! counted once for every full point of SpamAssassin level+ ! counted once for every full point of %%SpamAssassin%% level
  ? subject:<various>  ? subject:<various>
  ! words found in the Subject header  ! words found in the Subject header
Line 73: Line 74:
  ! names and addresses in the To header  ! names and addresses in the To header
  ? trick:spacedout  ? trick:spacedout
- ! this gets set when a string is broken up by spaces or other random characters between the characters of a word. eg:  VIAGRA or V.I.A.G.R.A are easy to read, but break the string "VIAGRA".+ ! this gets set when a string is broken up by spaces or other random characters between the characters of a word.\\ 
 +eg:  V I A G R A or V.I.A.G.R.A are easy to read, but break the string "VIAGRA".
  ? trick:dottedwords  ? trick:dottedwords
  ! this is a fairly simple trick where words have dots in random places. eg: Mort.gage  ! this is a fairly simple trick where words have dots in random places. eg: Mort.gage
Line 81: Line 83:
  
  
-More information about spammer trickery that underlies some of these pseudowords can be found in [[http://www.jgc.org/tsc/| The Spammers' Compendium]]+More information about spammer trickery that underlies some of these pseudowords can be found in [[http://www.virusbtn.com/resources/spammerscompendium/index| The Spammers' Compendium]]
  
 === See also === === See also ===
   * [[Glossary:PseudoWord | Glossary: pseudoword]]   * [[Glossary:PseudoWord | Glossary: pseudoword]]
- 
 
faq/pseudowords.1202496561.txt.gz · Last modified: 2012/12/13 13:12 (external edit)
Old revisions

Should you find anything in the documentation that is incomplete, unclear, outdated or just plain wrong, please let us know and leave a note in the Documentation Forum.

Recent changes RSS feed Donate Driven by DokuWiki
The content of this wiki is protected by the GNU Fee Documentation License