Re: Question about a spam assassin rule
On Sat, 20 Nov 2010, David B Funk wrote: The idea was that most all legit 3 character HTML tags such as 'div' contained at least one of those letters ([dpry]) in them. So a purported tag that had none of them was not legit and thus probably bogus spammer spoor. With the evolution of HTML (xml, etc) that's no longer a safe asumption, so that rule probably FPs. The presence of multiple empty tag pairs might still be useful... Off the top of my head and untested: rawbody __EMPTY_HTML_TAG m,([a-z]+)/\1,i tflags __EMPTY_HTML_TAG multiple metaMANY_EMPTY_TAGS __EMPTY_HTML_TAG 9 This might already be a rule, I didn't look. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Activist: Someone who gets involved. Unregistered Lobbyist: Someone who gets involved with something the MSM doesn't approve of. -- WizardPC --- 27 days until TRON Legacy
Re: Question about a spam assassin rule
rawbody FR_3TAG_3TAG m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i It looks for an html tag containing exactly three characters followed by a closing tag which also contains exactly three characters. -- Bowie On 11/19/2010 2:51 PM, jmargi wrote: Does anyone have a detailed definition as to what this rule might mean? FR_3TAG_3TAG RAW I'm using spam assassin to check an HTML creative I'm making for a client of mine and that rule is popping up, I've searched all over the internet and can't find a definition.
Re: Question about a spam assassin rule
On 11/19/10 2:51 PM, Bowie Bailey bowie_bai...@buc.com wrote: rawbody FR_3TAG_3TAG m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i It looks for an html tag containing exactly three characters followed by a closing tag which also contains exactly three characters. But no instances of d,p,r or y. I'm sure that's a really clever trick for something, I just don't have a clue as to what it might be -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Question about a spam assassin rule
On Fri, 19 Nov 2010, Daniel McDonald wrote: On 11/19/10 2:51 PM, Bowie Bailey bowie_bai...@buc.com wrote: rawbody FR_3TAG_3TAG m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i It looks for an html tag containing exactly three characters followed by a closing tag which also contains exactly three characters. But no instances of d,p,r or y. I'm sure that's a really clever trick for something, I just don't have a clue as to what it might be It was an attempt to find obfsucated HTML junk that spamers were using to break up spammy words such as male medications EG: viasqz/sqzgra The idea was that most all legit 3 character HTML tags such as 'div' contained at least one of those letters ([dpry]) in them. So a purported tag that had none of them was not legit and thus probably bogus spammer spoor. With the evolution of HTML (xml, etc) that's no longer a safe asumption, so that rule probably FPs. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{