Matt Kettler wrote:
Matthias Keller wrote:
Matt Kettler wrote:
Magnus Holmgren wrote:
I see a fair amount of spam using <TEXTAREA style="visibility:
hidden"> to hide bayes poison. Shouldn't a rule against that, or
CSS-hidden text in general, be worthwile? I couldn't find any in the
default 3.1.1 ruleset, nor at SARE.
It certainly seems worth testing.
Here's a rule I wrote (caution: word-wraps.. this should be 3 lines
long):
rawbody L_STYLE_HIDDEN /<TEXTAREA
[^>]{0,50}style\s?=\s?"\s?visibility:\s?hidden\s?"[^>]{0,50}>/i
describe L_STYLE_HIDDEN has text with hidden visibility style
score L_STYLE_HIDDEN 0.1
I added some allowance for other declarations in the textarea tag, and
the
insertion of whitespace at various spots...
It may need further tweaking/tuning, but it's a first-stab.
Hi Matt
I'm using this rule for quite some time now:
rawbody MKE_HIDDEN1
/<[^>]*\bstyle=[^>]*(?:visibility:\s*hidden|display:\s*none)/i
describe MKE_HIDDEN1 Contains CSS-hidden text
score MKE_HIDDEN1 3.5
That seems to be a nicer rule. My only concern would be that <[^>]* could be
rather slow. I'd change the * to a range-limit, to prevent SA from digging
through the entire body of a message that happens to be text/plain and starts
off with a < and has no > anywhere in it.
Good idea
Thanks for pointing that out
Maybe a meta rule with IS_HTML or how that's called again might be a
good idea too
Let me know your mass check results then
Matt
