Re: pill image spam learns to walk

Tue, 12 Jan 2010 02:16:05 -0800 

On 12/01/2010 06:28, Chip M. wrote:


Presently it renders them as plain text. I'm fully aware of the
potential problems with it. Ideally I'd like to be able to render
those parts as HTML, but I need to be 100% sure that I've stripped
out anything dangerous (including embedded remote content by
default) first. It's on the "ToDo List" page.


Nice job Mike! :)

I wrestled with that same issue when I added direct viewing of HTML
content to my offline analysis/FP-pipeline/MassChecks tool.

Originally, I was using an ActiveX wrapper around IE, which (of
course) made me nervous.  I added some VERY simple, crude tag
stripping (script, iframe, style), but was never happy with it.
I ended up switching to an open source HTML rendering component
which :) lacked support for all the scary stuff.

Whatever you decide to do, please do post more about it, and q'pla!



I shall. There are a multitude of modules on cpan for fixing up html and 
stripping out tags. I just need to find time to test them. I've got to 
figure out how to "cleanse" the CSS as well. Eg, you can execute 
javascript from CSS with stuff like: 
background:url("javascript:someFunction();")



I'm also aware of the issues surrounding people potentially
uploading images and then linking to them from spam websites or
spam. That's why I've put http referer restrictions in place.


Perhaps redirecting to an image saying something like
"this is spam"? :)



Then people couldn't share direct links to email parts such as images. 
For example, if I went to http://spamalyser.com/v/6xnb26gp/ and clicked 
on the image, it would give me a direct link to the image. I might then 
IM that link to somebody. When they click on the URL, the referer wont 
be valid and I don't want it to display a "This is spam" image. So what 
it does is redirect you back to http://spamalyser.com/v/6xnb26gp/ and 
jump to the point on the page where the image is displayed. It's a 
little difficult to explain.



What about requiring registration?  Yes, it's not enough to
stop the most determined, but will whittle it down to the least
stupid.



Requiring registration in order to paste emails wont get rid of the 
problem. Requiring registration in order to read the pasted emails would 
completely solve the problem, however I think that would also stop most 
people from using the service. I'm trying to keep it simple.


Anywho, this is probably getting off topic now.

--
Mike Cardwell    : UK based IT Consultant, LAMP developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/       #06920226
Technical Blog   : Tech Blog  - https://secure.grepular.com/blog/
Spamalyser       : Spam Tool  - http://spamalyser.com/























					Reply via email to