RE: [SAtalk] More HTML Obfuscation: This One Made It Through

2003-10-14 Thread Larry Gilson
Hi Keith, Thanks for the reply! -Original Message- From: Keith C. Ivey Sent: Monday, October 13, 2003 11:31 PM To: [EMAIL PROTECTED] Subject: RE: [SAtalk] More HTML Obfuscation: This One Made It Through Larry Gilson [EMAIL PROTECTED] wrote: ### I wrapped the rawbody line

Re: [SAtalk] More HTML Obfuscation: This One Made It Through

2003-10-14 Thread Kris Deugau
Keith C. Ivey wrote: One fairly easily detectable spam sign is the almost-white text (used to hide the irrelevant words), like this: font face=Arialfont color=#F2argumentation scabby writhe/font That should have triggered HTML_FONT_INVISIBLE, but I think that test has some bugs. It

[SAtalk] More HTML Obfuscation: This One Made It Through

2003-10-13 Thread Bill Polhemus
Here's another one from a batch of several that have gotten through SA 2.55 over the last several days. They use the spurious HTML tags to break up the text and get it through the Bayesian filter. I'm running these through every time I get one--and luckily, there've only been about one or two

RE: [SAtalk] More HTML Obfuscation: This One Made It Through

2003-10-13 Thread Larry Gilson
:[EMAIL PROTECTED] Sent: Monday, October 13, 2003 9:15 PM To: 'SA' Subject: [SAtalk] More HTML Obfuscation: This One Made It Through Here's another one from a batch of several that have gotten through SA 2.55 over the last several days. They use the spurious HTML tags to break up

Re: [SAtalk] More HTML Obfuscation: This One Made It Through

2003-10-13 Thread Keith C. Ivey
Bill Polhemus [EMAIL PROTECTED] wrote: They use the spurious HTML tags to break up the text and get it through the Bayesian filter. I don't see any text actually broken up. There's just not that much to trigger on. The drug names (most of which aren't in the default rules yet) are broken

RE: [SAtalk] More HTML Obfuscation: This One Made It Through

2003-10-13 Thread Keith C. Ivey
Larry Gilson [EMAIL PROTECTED] wrote: ### I wrapped the rawbody line to keep the integrity of the ### rule. # Invisible text color in font tag rawbody MY_RBDY_INVSTXT /font.* color=(?\#?F[0-9A-F]?|?white?).*/i describe MY_RBDY_INVSTXTMY: Invisible text color score

RE: [SAtalk] More HTML Obfuscation: This One Made It Through

2003-10-13 Thread Bill Polhemus
] [mailto:[EMAIL PROTECTED] On Behalf Of Keith C. Ivey Sent: Monday, October 13, 2003 9:27 PM To: [EMAIL PROTECTED] Subject: Re: [SAtalk] More HTML Obfuscation: This One Made It Through Bill Polhemus [EMAIL PROTECTED] wrote: They use the spurious HTML tags to break up the text and get it through

Re: [SAtalk] More HTML Obfuscation: This One Made It Through

2003-10-13 Thread Daniel Quinlan
Larry Gilson [EMAIL PROTECTED] writes: Two SA rules to help immediately with this are: ### I wrapped the rawbody line to keep the integrity of the rule. # Invisible text color in font tag rawbody MY_RBDY_INVSTXT /font.* color=(?\#?F[0-9A-F]?|?white?).*/i describe