Larry Gilson <[EMAIL PROTECTED]> writes:
> Two SA rules to help immediately with this are:
>
> ### I wrapped the rawbody line to keep the integrity of the rule.
> # Invisible text color in font tag
> rawbody MY_RBDY_INVSTXT
> /<font.* color=("?\#?FFFFF[0-9A-F]"?|"?white"?).*>/i
> describe MY_RBDY_INVSTXT MY: Invisible text color
> score MY_RBDY_INVSTXT 2.0
2.60 has two much more accurate versions of this rule.
body HTML_FONT_INVISIBLE eval:html_test('font_invisible')
describe HTML_FONT_INVISIBLE HTML font color is same as background
score HTML_FONT_INVISIBLE 0.938 0.446 0.957 0.601
body HTML_FONT_LOW_CONTRAST eval:html_test('font_near_invisible')
describe HTML_FONT_LOW_CONTRAST HTML font color similar to background
score HTML_FONT_LOW_CONTRAST 0
> # Obfuscate text by using ISO 8859-1 character set DEC encoding
> rawbody MY_RBDY_OBFU_ISOD /&\#(6[5-9]|[7-9][0-9]|1[0-1][0-9]|12[0-6])\D/
> describe MY_RBDY_OBFU_ISOD MY: OBFU text with ISO DEC set
> score MY_RBDY_OBFU_ISOD 4.0
I think we tested this idea before, I'll try writing up a few rules for
testing.
> If you ever get HEX encoding, you can use:
> # Obfuscate text by using ISO 8859-1 character set HEX encoding
> rawbody MY_RBDY_OBFU_ISOH /\%(4[1-9]|[5-7][0-9]|[4-6][A-F]|7[A-E])\D/i
> describe MY_RBDY_OBFU_ISOH MY: OBFU text with ISO HEX set
> score MY_RBDY_OBFU_ISOH 4.0
The HTTP_EXCESSIVE_ESCAPES rule is basically the same as this rule.
Daniel
--
Daniel Quinlan anti-spam (SpamAssassin), Linux, and open
http://www.pathname.com/~quinlan/ source consulting (looking for new work)
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
