Matthias Keller wrote: > Matt Kettler wrote: >> Magnus Holmgren wrote: >> >>> I see a fair amount of spam using <TEXTAREA style="visibility: >>> hidden"> to hide bayes poison. Shouldn't a rule against that, or >>> CSS-hidden text in general, be worthwile? I couldn't find any in the >>> default 3.1.1 ruleset, nor at SARE. >>> >> >> It certainly seems worth testing. >> >> Here's a rule I wrote (caution: word-wraps.. this should be 3 lines >> long): >> >> rawbody L_STYLE_HIDDEN /<TEXTAREA >> [^>]{0,50}style\s?=\s?"\s?visibility:\s?hidden\s?"[^>]{0,50}>/i >> describe L_STYLE_HIDDEN has text with hidden visibility style >> score L_STYLE_HIDDEN 0.1 >> >> I added some allowance for other declarations in the textarea tag, and >> the >> insertion of whitespace at various spots... >> >> It may need further tweaking/tuning, but it's a first-stab. >> > Hi Matt > > I'm using this rule for quite some time now: > > rawbody MKE_HIDDEN1 > /<[^>]*\bstyle=[^>]*(?:visibility:\s*hidden|display:\s*none)/i > describe MKE_HIDDEN1 Contains CSS-hidden text > score MKE_HIDDEN1 3.5 >
That seems to be a nicer rule. My only concern would be that <[^>]* could be rather slow. I'd change the * to a range-limit, to prevent SA from digging through the entire body of a message that happens to be text/plain and starts off with a < and has no > anywhere in it.