Anything in <> these days is a legit HTML tag unfortunately. At the same time, most of these patterns aren't used and can be filtered for. If this one spammer wants to keep using that one pattern, nail him with the following:
BODY 30 CONTAINS <alt=3D
I've been coding since 1996, and never once have I seen someone start a tag with <alt, and the =3D part just makes it safer to use since that will only happen as a result of an E-mail program doing conversion on the content for MIME compliance (or something like that).
That's what's great about these spammers. They are too fixated on words, and not aware of the patterns they create.
BTW, my experience is that BODY filters don't parse out the HTML tags before matching, only the comment tags, though I'd have to confirm the latter.
Matt
Kami Razvan wrote:
Hi Scott:
I just did a test..
in our filter files we have:
BODY 20 CONTAINS Banned CD
Here is an email I sent to myself from Hotmail. The filter is not triggered.
==========================================
X-OriginalArrivalTime: 26 Dec 2003 12:21:25.0569 (UTC) FILETIME=[C7EEA310:01C3CBAA]
X-IMAIL-SPAM-DNSBL: (BLARS,45416796,127.1.8.17)
X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>"
X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>"
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: FREEEMAILS:
X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL test (line 20, weight 5)
X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [207.68.165.8]
X-Declude-Spoolname: D27c602b5015c4bff.SMD
X-Note: This E-mail was scanned & filtered by Declude [1.77i8] for SPAM & virus.
X-Spam Score: 5 [Blocked on 20+]
X-Note: Sent from Reverse DNS: sea2-f8.sea2.hotmail.com
X-Hello: hotmail.com
X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, FREEEMAILS, FILTER-HEADER-XMAIL
X-Note: Recipient(s): [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
X-Country-Chain: UNITED STATES->destination
X-Declude-Date: 12/26/2003 12:21:25 [0]
X-RCPT-TO: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
Status: U
X-UIDL: 331473289
Ban</manifestation>ned C</palindrome>D!
==========================================
& then I sent one without the </..> tags & it was caught.
==========================================
X-IMAIL-SPAM-DNSBL: (BLARS,47317340,127.1.8.17)
X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>"
X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>"
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: FREEEMAILS:
X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL test (line 20, weight 5)
X-RBL-Warning: FILTER-PORN: Message failed FILTER-PORN test (line 64, weight 20)
X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [207.68.165.25]
X-Declude-Spoolname: D287b02d2015c0fa4.SMD
X-Note: This E-mail was scanned & filtered by Declude [1.77i8] for SPAM & virus.
X-Spam Score: 25 [Blocked on 20+]
X-Note: Sent from Reverse DNS: sea2-f25.sea2.hotmail.com
X-Hello: hotmail.com
X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, FREEEMAILS, FILTER-HEADER-XMAIL, FILTER-PORN, WEIGHT20s, WEIGHT20r
X-Note: Recipient(s): [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
X-Country-Chain: UNITED STATES->destination
X-Declude-Date: 12/26/2003 12:24:26 [0]
X-RCPT-TO: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
Status: U
X-UIDL: 331473290
Banned CD
============================================
The first time I posted my notes about comments was based on this observation but this time I did a test.
Look at the new type of insertions .. a totally legitimate HTML tag.
===================
ime>st Gen<alt=3Dhas come>eric
Viag<alt=3Di want>ra no<alt=3Dmonitor>w!</a><br><br>O<alt=3Dsignature>r te=
<alt=3Dfather>st on<alt=3Dmother>e
o<alt=3Dbrother>f o<alt=3Dsister>ur oth<alt=3Dtalk to me>er <alt=3Dwhen u =
can>pharma<alt=3Dgo around>cy products:<alt=3Dand check>
====================
<alt=..> we are seeing a ton of emails with these inserted in the middle of each text and not detected with the filters.
Regards,
Kami
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
