"Kevin A. McGrail" <[EMAIL PROTECTED]> wrote:
However, this rule does trigger on the technique I sent. I want to work
on the nested anchor idea as well but in the meantime, I'd like to hear
feedback on this trigger. It seemed REALLY spammy to me. Anyone get any
hits with this against their HAM or SPAM corpuses?
# PHISHING TEST
rawbody KAM_PHISH1 /u style="cursor: pointer"/
describe KAM_PHISH1 Test for PHISH that changes the cursor
score KAM_PHISH1 0.01
Something sent with Incredimail! has this in it (originally one line)
<TD id=INCREDITEXTREGION style="FONT-SIZE: 18pt; CURSOR: auto"
vAlign=top width="100%">
Something in Spanish that was reported as spam had this (again,
originally one line):
<table title='' onselectstart='return false;' style='cursor:hand;
display:inline' border=0 width='100' cellpadding=0 cellspacing=0>
That's five days of reported spam, 1,920 messages.
Is there an SA rule that checks for nested anchors? (Either in 3.1 or
SARE.) Any signs of this idiom in ham corpuses?
I must have missed this original message. Was there an example?
I've been working on an MD subroutine using HTML::TokeParser.
It goes into 'state' when it comes to an <a> tag, and checks what
comes from there up to the next </a>. I had not thought of needing
to nest them. Or is it just a test of bad html to come across <a>
when you're already in an <a>?
Joseph Brennan
Columbia University Information Technology
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
