Mailing List Archive: How to catch html paragraph style tricks

How to catch html paragraph style tricks

Mar 12, 2004, 9:15 AM

Post #1 of 6 (749 views)

I have recently noticed the following, in quite a few SPAM messages.

I was a little supprised that it trips no standard rules in SA 2.60:

> <p style="font-size:0px; color:white">ipmq6.xl1qp.EafoK/j9ZXr0uYj641jBn2M.
> gks zlgllg, ytgqfe, csgrsy . wmtpin shx udcfkr, fxwkb, ovmfp . tlyob
> dzy wpgbt, nlssk, eowsj . abwvo jpdm eyo, eqps, cmym . cabxmm
> nksdhd nrltpa, vsfov, ctwf . yhvkv zhodp yeilxz, nufvkb, nwcuw . drly
> ngbsxu dcdcb, pywmkz, xytu . wxoky xefrdz gcokff, feoqfh, dajy . hohfpg

The actual content is much larger than the above, I've shortened it to save
bandwidth.

The background color of the message is also "white", so we have a zero size,
"white on white" font.

Am I missing something? Does anyone have suggestions?

Thank you,
--
Larry G. Starr - larrys@fullcompass.com or starrl@globaldialog.com
Software Engineer: Full Compass Systems LTD.
Phone: 608-831-7330 x 1347 FAX: 608-831-6330
===================================================================
There are only three sports: bullfighting, mountaineering and motor
racing, all the rest are merely games! - Ernest Hemmingway

Re: [spa] How to catch html paragraph style tricks [ In reply to ]

cgregory at hwcn

Mar 12, 2004, 9:26 AM

Post #2 of 6 (749 views)

Permalink

On Fri, 12 Mar 2004, Larry Starr wrote:
> I have recently noticed the following, in quite a few SPAM messages.

Here, this covers most 0 and 1 pt/px variants......

rawbody LOC_HTMLINVISTEXTZERO /style="?[^>"]*font-size: *[01]p[tx]/i
describe LOC_HTMLINVISTEXTZERO invisible text - zero point
score LOC_HTMLINVISTEXTZERO 1.8

While we got you here, here's the other trick that cam out around that
time. Splitting the 'font' tag and its color attribtue with a blank line.
Fools SA 2.60, so I made up this:

full LOC_HTMLSPLITFONT /<font color=\n{1,3}\#[a-z0-9]{6}\>/i
describe LOC_HTMLSPLITFONT font color on separate line from font tag
score LOC_HTMLSPLITFONT 0.7

Note that 'full' scans everything. An expensive test!

- Charles

Re: How to catch html paragraph style tricks [ In reply to ]

lwilton at earthlink

Mar 12, 2004, 1:05 PM

Post #3 of 6 (742 views)

Permalink

There are rules around to catch the 0 size font and others to catch
invisible fonts, which should be the case with the fg and bg colors match.
Unfortunately the official test doesn't seem to recognize a color of
'white', only a color of FFFFFF.

Try these. You may want to adjust the scores down, especially for the
white-font rule, since white would be legit on a dark background. (That
said, it hasn't FP'ed for me yet.)

rawbody LW_TINY_FONT_1 /<.[^>]font\-size\:[ \"]*1[^0-9]+[^>]*>/i
describe LW_TINY_FONT_1 Body contains 1pt font
score LW_TINY_FONT_1 10

rawbody LW_TINY_FONT_0 /<[^>]*font\-size\:[ \"]*[0\.]+\D[^>]*>/i
describe LW_TINY_FONT_0 Body contains 0pt font
score LW_TINY_FONT_0 10

rawbody LW_WHITE_FONT /<[^>]*font[
\-]color(?:\:white.*\;|\=\"white\")[^>]*>/i
describe LW_WHITE_FONT Font is white
score LW_WHITE_FONT 3

Loren

Re: How to catch html paragraph style tricks [ In reply to ]

quinlan at pathname

Mar 12, 2004, 8:20 PM

Post #4 of 6 (747 views)

Permalink

"Loren Wilton" <lwilton@earthlink.net> writes:

> Unfortunately the official test doesn't seem to recognize a color of
> 'white', only a color of FFFFFF.

No, the official test translates most colors to their corresponding
hexadecimal values, of course. 3.0 will translate every standard and
X11 color.

In addition, the code looks for nearly invisible text which is sometimes
a better spam sign (although the score optimizer rated it lower). Also,
it's important to note that invisible text unfortunately happens
sometimes in innocent HTML email.

The 3.0 code does need more work on CSS. What set of $#%@ing morons
decided CSS would be a great idea in email? Isn't HTML bad enough?

Daniel

--
Daniel Quinlan anti-spam (SpamAssassin), Linux,
http://www.pathname.com/~quinlan/ and open source consulting

Re: How to catch html paragraph style tricks [ In reply to ]

gcirino at cirelle

Mar 13, 2004, 1:17 PM

Post #5 of 6 (747 views)

Permalink

----- Original Message -----
From: "Daniel Quinlan" <quinlan@pathname.com>
To: "Loren Wilton" <lwilton@earthlink.net>
|
| What set of $#%@ing morons
| decided CSS would be a great idea in email? Isn't HTML bad enough?
|

I think their stock symbol is MSFT

Greg

Re: How to catch html paragraph style tricks [ In reply to ]

jdow at earthlink

Mar 13, 2004, 1:42 PM

Post #6 of 6 (742 views)

Permalink

From: "Greg Cirino - Cirelle Enterprises" <gcirino@cirelle.com>
> From: "Daniel Quinlan" <quinlan@pathname.com>
> To: "Loren Wilton" <lwilton@earthlink.net>
> |
> | What set of $#%@ing morons
> | decided CSS would be a great idea in email? Isn't HTML bad enough?
> |
>
> I think their stock symbol is MSFT

More S**t Fine Tomorrow.

{O,o}