Larry Gilson <[EMAIL PROTECTED]> writes: > Two SA rules to help immediately with this are: > > ### I wrapped the rawbody line to keep the integrity of the rule. > # Invisible text color in font tag > rawbody MY_RBDY_INVSTXT > /<font.* color=("?\#?FFFFF[0-9A-F]"?|"?white"?).*>/i > describe MY_RBDY_INVSTXT MY: Invisible text color > score MY_RBDY_INVSTXT 2.0
2.60 has two much more accurate versions of this rule. body HTML_FONT_INVISIBLE eval:html_test('font_invisible') describe HTML_FONT_INVISIBLE HTML font color is same as background score HTML_FONT_INVISIBLE 0.938 0.446 0.957 0.601 body HTML_FONT_LOW_CONTRAST eval:html_test('font_near_invisible') describe HTML_FONT_LOW_CONTRAST HTML font color similar to background score HTML_FONT_LOW_CONTRAST 0 > # Obfuscate text by using ISO 8859-1 character set DEC encoding > rawbody MY_RBDY_OBFU_ISOD /&\#(6[5-9]|[7-9][0-9]|1[0-1][0-9]|12[0-6])\D/ > describe MY_RBDY_OBFU_ISOD MY: OBFU text with ISO DEC set > score MY_RBDY_OBFU_ISOD 4.0 I think we tested this idea before, I'll try writing up a few rules for testing. > If you ever get HEX encoding, you can use: > # Obfuscate text by using ISO 8859-1 character set HEX encoding > rawbody MY_RBDY_OBFU_ISOH /\%(4[1-9]|[5-7][0-9]|[4-6][A-F]|7[A-E])\D/i > describe MY_RBDY_OBFU_ISOH MY: OBFU text with ISO HEX set > score MY_RBDY_OBFU_ISOH 4.0 The HTTP_EXCESSIVE_ESCAPES rule is basically the same as this rule. Daniel -- Daniel Quinlan anti-spam (SpamAssassin), Linux, and open http://www.pathname.com/~quinlan/ source consulting (looking for new work) ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk