Matthias Keller wrote:
> Matt Kettler wrote:
>> Magnus Holmgren wrote:
>>
>>> I see a fair amount of spam using <TEXTAREA style="visibility:
>>> hidden"> to hide bayes poison. Shouldn't a rule against that, or
>>> CSS-hidden text in general, be worthwile? I couldn't find any in the
>>> default 3.1.1 ruleset, nor at SARE.
>>>
>>
>> It certainly seems worth testing.
>>
>> Here's a rule I wrote (caution: word-wraps.. this should be 3 lines
>> long):
>>
>> rawbody L_STYLE_HIDDEN /<TEXTAREA
>> [^>]{0,50}style\s?=\s?"\s?visibility:\s?hidden\s?"[^>]{0,50}>/i
>> describe L_STYLE_HIDDEN has text with hidden visibility style
>> score L_STYLE_HIDDEN 0.1
>>
>> I added some allowance for other declarations in the textarea tag, and
>> the
>> insertion of whitespace at various spots...
>>
>> It may need further tweaking/tuning, but it's a first-stab.
>>
> Hi Matt
>
> I'm using this rule for quite some time now:
>
> rawbody MKE_HIDDEN1
> /<[^>]*\bstyle=[^>]*(?:visibility:\s*hidden|display:\s*none)/i
> describe MKE_HIDDEN1 Contains CSS-hidden text
> score MKE_HIDDEN1 3.5
>
That seems to be a nicer rule. My only concern would be that <[^>]* could be
rather slow. I'd change the * to a range-limit, to prevent SA from digging
through the entire body of a message that happens to be text/plain and starts
off with a < and has no > anywhere in it.
