Re: Question about a spam assassin rule
On Sat, 20 Nov 2010, David B Funk wrote: The idea was that most all legit 3 character HTML tags such as 'div' contained at least one of those letters ([dpry]) in them. So a purported tag that had none of them was not legit and thus probably bogus spammer spoor. With the evolution of HTML (xml, etc) that's no longer a safe asumption, so that rule probably FPs. The presence of multiple empty tag pairs might still be useful... Off the top of my head and untested: rawbody __EMPTY_HTML_TAG m,([a-z]+)/\1,i tflags __EMPTY_HTML_TAG multiple metaMANY_EMPTY_TAGS __EMPTY_HTML_TAG 9 This might already be a rule, I didn't look. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Activist: Someone who gets involved. Unregistered Lobbyist: Someone who gets involved with something the MSM doesn't approve of. -- WizardPC --- 27 days until TRON Legacy
Re: Question about a spam assassin rule
rawbody FR_3TAG_3TAG
m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i
It looks for an html tag containing exactly three characters followed by
a closing tag which also contains exactly three characters.
--
Bowie
On 11/19/2010 2:51 PM, jmargi wrote:
Does anyone have a detailed definition as to what this rule might mean?
FR_3TAG_3TAG RAW
I'm using spam assassin to check an HTML creative I'm making for a client of
mine and that rule is popping up, I've searched all over the internet and
can't find a definition.
Re: Question about a spam assassin rule
On 11/19/10 2:51 PM, Bowie Bailey bowie_bai...@buc.com wrote:
rawbody FR_3TAG_3TAG
m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i
It looks for an html tag containing exactly three characters followed by
a closing tag which also contains exactly three characters.
But no instances of d,p,r or y. I'm sure that's a really clever trick for
something, I just don't have a clue as to what it might be
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Question about a spam assassin rule
On Fri, 19 Nov 2010, Daniel McDonald wrote:
On 11/19/10 2:51 PM, Bowie Bailey bowie_bai...@buc.com wrote:
rawbody FR_3TAG_3TAG
m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i
It looks for an html tag containing exactly three characters followed by
a closing tag which also contains exactly three characters.
But no instances of d,p,r or y. I'm sure that's a really clever trick for
something, I just don't have a clue as to what it might be
It was an attempt to find obfsucated HTML junk that spamers were
using to break up spammy words such as male medications
EG: viasqz/sqzgra
The idea was that most all legit 3 character HTML tags such as 'div'
contained at least one of those letters ([dpry]) in them. So a purported
tag that had none of them was not legit and thus probably bogus spammer
spoor.
With the evolution of HTML (xml, etc) that's no longer a safe
asumption, so that rule probably FPs.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
