Matt Kettler wrote:
Magnus Holmgren wrote:
I see a fair amount of spam using <TEXTAREA style="visibility: hidden"> to
hide bayes poison. Shouldn't a rule against that, or CSS-hidden text in
general, be worthwile? I couldn't find any in the default 3.1.1 ruleset, nor
at SARE.
It certainly seems worth testing.
Here's a rule I wrote (caution: word-wraps.. this should be 3 lines long):
rawbody L_STYLE_HIDDEN /<TEXTAREA
[^>]{0,50}style\s?=\s?"\s?visibility:\s?hidden\s?"[^>]{0,50}>/i
describe L_STYLE_HIDDEN has text with hidden visibility style
score L_STYLE_HIDDEN 0.1
I added some allowance for other declarations in the textarea tag, and the
insertion of whitespace at various spots...
It may need further tweaking/tuning, but it's a first-stab.
Hi Matt
I'm using this rule for quite some time now:
rawbody MKE_HIDDEN1
/<[^>]*\bstyle=[^>]*(?:visibility:\s*hidden|display:\s*none)/i
describe MKE_HIDDEN1 Contains CSS-hidden text
score MKE_HIDDEN1 3.5
In my opinion you shouldn't limit it to textareas as I've seen them on
DIVs and others too...
So to me, any visibility:hidden or display:none is suspect as I dont see
any legitimate use in emails
In my spams, this rule matches around 4% of all spams, I haven't seen
any ham matches yet
Feel free to mass check it and/or include it into your coding rules. But
if you do please inform me that I can remove my local copy then.
Matt
