Mailing List Archive

On Saturday 06 March 2004 23:26, Ilan Aisic wrote:
> Today I got a spam that achieved 9.9 points on my system.
> It took a look at it and apart from what it was selling,
> it had a weird box consisting of many lines of gray
> dots at the end of the HTML message.
> I checked the source of the message and discovered that
> it had a block of text in font size 1. the tag:
> <font style="font-size: 1pt">
> This font size did not trigger any rule. The same message had
> big fonts in the readable parts and it triggered HTML_FONT_BIG
> but nothing for the tiny font. Shouldn't this also be part
> of the core rules?
>
> The block itself had more than 12,000 characters which were more than
> 1400 words smilingly randomly selected from a dictionary, some
> puncutation marks but no grammer followed and it was
> nothing that made sense.
> I don't know what systems or rules this spammer was trying to fool.
>
> --ilan

But since your system was not fooled, why bother?
If its not broke, don't fix it.

--
_____________________________________
John Andersen

#-----------------------------------------
# Catch font uglies. Tiny fonts and odd color fonts.

rawbody LW_TINY_FONT_1 /<.[^>]font\-size\:[ \"]*1[^0-9]+[^>]*>/i
describe LW_TINY_FONT_1 Body contains 1pt font
score LW_TINY_FONT_1 10

rawbody LW_TINY_FONT_0 /<[^>]*font\-size\:[ \"]*[0\.]+\D[^>]*>/i
describe LW_TINY_FONT_0 Body contains 0pt font
score LW_TINY_FONT_0 10

rawbody LW_WHITE_FONT /<[^>]*font[
\-]color(?:\:white.*\;|\=\"white\")[^>]*>/i
describe LW_WHITE_FONT Font is white
score LW_WHITE_FONT 3

meta LW_BIG_AND_RED (HTML_FONT_BIG && HTML_FONTCOLOR_RED)
describe LW_BIG_AND_RED BIG RED TEXT
score LW_BIG_AND_RED 3


These work for me, and I have yet to get an FP on the font size 0 or 1
tests, although there is 1 FP on a previous version of the 0pt test in Bob's
corpus. I need to rerun this one and make sure I cleaned that up.

The white font test WILL fp, but used with other things it is useful, which
is why it doesn't have crowbar score (for me).

Interestingly, I haven't had the big-red test FP yet, and get quite a few
hits, but it didn't get even a single hit (either way) in Bob's corpus.

Loren

On Sun, 7 Mar 2004, Ilan Aisic wrote:
> I checked the source of the message and discovered that
> it had a block of text in font size 1. the tag:
> <font style="font-size: 1pt">

This trick came into use since the last core rules revision.
Here's the rule I've been using, which covers 0pt 1pt 0px 1px....
rawbody LOC_HTMLINVISTEXTZERO /style="?[^>"]*font-size: *[01]p[tx]/i
describe LOC_HTMLINVISTEXTZERO invisible text - zero point
score LOC_HTMLINVISTEXTZERO 1.8

> I don't know what systems or rules this spammer was trying to fool.

Batches of random words are intended to poison bayesian 'learning'
systems. They don't work very well, and when they lack punctuation, they
are actually another spam sign.... :-)

- Charles