Re: Colored-in table attack.

2009-03-26 Thread John Hardin
On Thu, 26 Mar 2009, Justin Mason wrote: On Thu, Mar 26, 2009 at 03:48, John Hardin wrote: Yeah, the documentation lies. multiline rawbody works just fine in 3.2.x could someone open a bug to fix this? thanks ;) https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6091 -- John Hardin

RE: Colored-in table attack.

2009-03-26 Thread Bowie Bailey
Giampaolo Tomassoni wrote: > > From: LuKreme [mailto:krem...@kreme.com] > > > > On 25-Mar-2009, at 11:24, Giampaolo Tomassoni wrote: > > > rawbody LARGETABLE > > > m' > > tr'is > > > > > > Just to be sure my parsing is working correctly, that is flagging if > > there are 30 or more TDs in a si

Re: Colored-in table attack.

2009-03-26 Thread Justin Mason
On Thu, Mar 26, 2009 at 03:48, John Hardin wrote: > On Wed, 25 Mar 2009, John Hardin wrote: > >>> >   On Wed, 25 Mar 2009, Giampaolo Tomassoni wrote: >>> > >   So why this actually works to me? >>> > > > >   rawbody   LARGETABLE >>> > > >>> > > m'> >> Then the documentation appears to be out of da

RE: Colored-in table attack.

2009-03-26 Thread Giampaolo Tomassoni
> -Original Message- > From: LuKreme [mailto:krem...@kreme.com] > Sent: Wednesday, March 25, 2009 6:49 PM > > On 25-Mar-2009, at 11:24, Giampaolo Tomassoni wrote: > > rawbody LARGETABLE > > m' > tr'is > > > Just to be sure my parsing is working correctly, that is flagging if > there ar

Re: Colored-in table attack.

2009-03-25 Thread John Hardin
On Wed, 25 Mar 2009, John Hardin wrote: > On Wed, 25 Mar 2009, Giampaolo Tomassoni wrote: > > So why this actually works to me? > > > > rawbody LARGETABLE > > m' Then the documentation appears to be out of date. From http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_C

Re: Colored-in table attack.

2009-03-25 Thread LuKreme
On 25-Mar-2009, at 11:24, Giampaolo Tomassoni wrote: rawbody LARGETABLE m'tr'is Just to be sure my parsing is working correctly, that is flagging if there are 30 or more TDs in a single TR? If so, couldn't that be written a lot more compactly? Out of curiosity, what are you scoring tha

Re: Colored-in table attack.

2009-03-25 Thread John Hardin
On Wed, 25 Mar 2009, Kris Deugau wrote: John Hardin wrote: On Wed, 25 Mar 2009, Giampaolo Tomassoni wrote: > So why this actually works to me? > > rawbody LARGETABLE > m'> > Got SA 3.2.4. I had forgotten about tflags multiple - when did multiline rawbody get added? I thought "ra

Re: Colored-in table attack.

2009-03-25 Thread Kris Deugau
John Hardin wrote: On Wed, 25 Mar 2009, Giampaolo Tomassoni wrote: So why this actually works to me? rawbody LARGETABLE m' I had forgotten about tflags multiple - when did multiline rawbody get added? I thought "rawbody" was, literally, the raw message body considered as a single string.

RE: Colored-in table attack.

2009-03-25 Thread John Hardin
On Wed, 25 Mar 2009, Giampaolo Tomassoni wrote: From: John Hardin [mailto:jhar...@impsec.org] Unfortunately no, at least at this time. rawbody rules don't do multiline matching (which would allow column counting), and rules in general are just hit-or-miss, not hit-N-times. So why this actuall

RE: Colored-in table attack.

2009-03-25 Thread Giampaolo Tomassoni
> -Original Message- > From: John Hardin [mailto:jhar...@impsec.org] > Sent: Wednesday, March 25, 2009 5:40 PM > To: Ernie Dunbar > Cc: users@spamassassin.apache.org > Subject: Re: Colored-in table attack. > > On Wed, 25 Mar 2009, Ernie Dunbar wrote: > > &g

Re: Colored-in table attack.

2009-03-25 Thread John Hardin
On Wed, 25 Mar 2009, Ernie Dunbar wrote: Detection of such a message is a piece of cake. Any message containing a Very Large html table (even more than 50 table data fields, or one that is disproportionately wide could qualify) could trigger such a test, but I have no idea about how to do a co

Colored-in table attack.

2009-03-25 Thread Ernie Dunbar
ttp://ww