On Tue, 22 Dec 2020, Loren Wilton wrote:
>>>> On 16 Dec 2020, at 23:21, Loren Wilton <lwilton@earthlink.net> wrote:
>>>>> I just got a batch of spams containing
>>>>>
>>>>> <span style="display:none">
>>>>
>>> Such rules are there. Unfortunately, for whatever reason, lots of ham uses
>>> "invisible" text so it's not useful as a spam sign by itself and it's hard
>>> to come up with any useful combination rules.
>>
>> I think I may have figured it out - tracking images. Like:
>>
>> <img src="long unique tracking uri" width="0" height="0" border="0"
>> style="visibility: hidden !important; display:none !important; max-height:
>> 0; width: 0; line-height: 0; mso-hide: all;">
>
> Note in your example the display:none is in a contained tag and not in an
> opening tag of a span. The tag is probably fairly long because the URL is
> probably huge, but it is still the one item that is hidden.
Right, but __STY_INVIS is currently tag-blind (it only looks for the
style="" clause), so it hits that, and if lots of ham is hiding tracking
images that way that might explain the poor S/O.
> I put in a local rawbody rule for
> m'<span style="display:none">.{100,}(?:$|</span>)'is
> and so far I haven't gotten any hits on ham.
How much spam hits that very simple case? I had a __SPAN_INVIS rule
(currently commented out) but IIRC it also had poor S/O. It wasn't as
simple as yours, though - perhaps I'm allowing for too many
syntactically-valid cases to try to avoid trivial avoidance by spam?
> Of course that is a pretty heavy rule
It would be lighter if you didn't look for the tag closing. Is there a
reason you care about the closing for that?
--
John Hardin KA7OHZ
http://www.impsec.org/~jhardin/ jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
3 days until Christmas