Hi Keith,
Thanks for the reply!
-Original Message-
From: Keith C. Ivey
Sent: Monday, October 13, 2003 11:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [SAtalk] More HTML Obfuscation: This One Made It Through
Larry Gilson [EMAIL PROTECTED] wrote:
### I wrapped the rawbody line
Keith C. Ivey wrote:
One fairly easily detectable spam sign is the almost-white text
(used to hide the irrelevant words), like this:
font face=Arialfont color=#F2argumentation scabby
writhe/font
That should have triggered HTML_FONT_INVISIBLE, but I think
that test has some bugs.
It
Here's another one from a batch of several that have gotten through SA 2.55
over the last several days. They use the spurious HTML tags to break up the
text and get it through the Bayesian filter.
I'm running these through every time I get one--and luckily, there've only
been about one or two
:[EMAIL PROTECTED]
Sent: Monday, October 13, 2003 9:15 PM
To: 'SA'
Subject: [SAtalk] More HTML Obfuscation: This One Made It Through
Here's another one from a batch of several that have gotten
through SA 2.55 over the last several days. They use the
spurious HTML tags to break up
Bill Polhemus [EMAIL PROTECTED] wrote:
They use the
spurious HTML tags to break up the text and get it through the
Bayesian filter.
I don't see any text actually broken up. There's just not that
much to trigger on. The drug names (most of which aren't in
the default rules yet) are broken
Larry Gilson [EMAIL PROTECTED] wrote:
### I wrapped the rawbody line to keep the integrity of the
### rule.
# Invisible text color in font tag
rawbody MY_RBDY_INVSTXT
/font.* color=(?\#?F[0-9A-F]?|?white?).*/i
describe MY_RBDY_INVSTXTMY: Invisible text color
score
]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith C.
Ivey
Sent: Monday, October 13, 2003 9:27 PM
To: [EMAIL PROTECTED]
Subject: Re: [SAtalk] More HTML Obfuscation: This One Made It Through
Bill Polhemus [EMAIL PROTECTED] wrote:
They use the
spurious HTML tags to break up the text and get it through
Larry Gilson [EMAIL PROTECTED] writes:
Two SA rules to help immediately with this are:
### I wrapped the rawbody line to keep the integrity of the rule.
# Invisible text color in font tag
rawbody MY_RBDY_INVSTXT
/font.* color=(?\#?F[0-9A-F]?|?white?).*/i
describe