[SAtalk] those pesky small v*agra ads

Gary Funck Thu, 31 Jul 2003 16:21:55 -0700

I'm having trouble thinking of a good way to handle these short ads that fly
under SA's radar. I'm running 2.60(cvs), fyi.


Here's the HTML:

<html>
<body><font color="#ffffff">satchel <font color="#ffffff">brains <font
color="#ffffff">alexander <font color="#ffffff">evacuation <font
color="#ffffff">metier <font color="#ffffff">extant <font
color="#ffffff">crept <font color="#ffffff">bonaparte <font
color="#ffffff">ar <font color="#ffffff">testifiers <font
color="#ffffff">eventide <font color="#ffffff">acyclically <font
color="#ffffff">barrymore <font color="#ffffff">merlin <font
color="#ffffff">austin <font color="#ffffff">powersets <font
color="#ffffff">ploughman <font color="#ffffff">break <font
color="#ffffff">albuquerque <font color="#ffffff">corruptible <font
color="#ffffff">mendacity <font color="#ffffff">millinery <font
color="#ffffff">seating <font color="#ffffff">antares <font
color="#ffffff">microcomputers <font color="#ffffff">credulous <font
color="#ffffff">cross <font color="#ffffff">acuteness <font
color="#ffffff">pottery <font color="#ffffff">tallow <font
color="#ffffff">$RANDO
MIZE <font color="#ffffff">terse <font color="#ffffff">tenspot <font
color="#ffffff">exclamatory <font color="#ffffff">atkins <font
color="#ffffff">meandering <font color="#ffffff">ewe <font
color="#ffffff">humidistat <font color="#ffffff">bookings <font
color="#ffffff">hydrophobic <font color="#ffffff">beresford <font
color="#ffffff">talkatively <font color="#ffffff">polisher <font
color="#ffffff">aeolus <font color="#ffffff">ethane <font
color="#ffffff">aristotle <font color="#ffffff">screwworm <font
color="#ffffff">bows <font color="#ffffff">exponentials <font
color="#ffffff">crazed <font color="#ffffff">boeotian <font
color="#ffffff">postpone <font color="#ffffff">poling <font
color="#ffffff">count <font color="#ffffff">mercy <font
color="#ffffff">blushed <font color="#ffffff">boise <font
color="#ffffff">immaculately <font color="#ffffff">eventualities <font
color="#ffffff">cottonwood <font color="#ffffff">teased <font
color="#ffffff">$RANDOM
IZE <font color="#ffffff">telekinesis <font color="#ffffff">battelle <font
color="#ffffff">exceptionally <font color="#ffffff">saturday <font
color="#ffffff">cranium <font color="#ffffff">scraggly <font
color="#ffffff">milkmaid <font color="#ffffff">adamantly <font
color="#ffffff">expedient <font color="#ffffff">meson <font
color="#ffffff">arrhenius powder hotness bode correlative scanty exchanged
bolshevism measurements blomquist pounces<p>
<a
href="http://srd.yahoo.com/drst/hymns/*http://www.365pharm1.com/ex/index.htm
l">
<img border="0"
 src="http://srd.yahoo.com/drst/boyish/*http://www.8867v.com/file/ra.gif"; >
</a>
 </p><font color="#ffffff">huckster <font color="#ffffff">scorched <font
color="#ffffff">sash <font color="#ffffff">metaphors <font
color="#ffffff">tamely <font color="#ffffff">bernie <font
color="#ffffff">illusionary <font color="#ffffff">bobbie <font
color="#ffffff">accumulator <font color="#ffffff">thallophyte <font
color="#ffffff">coverlets <font color="#ffffff">sawtooth <font
color="#ffffff">adulterates <font color="#ffffff">atkinson <font
color="#ffffff">crossing <font color="#ffffff">bootleggers <font
color="#ffffff">saute <font color="#ffffff">accredit <font
color="#ffffff">telegram <font color="#ffffff">crocodile <font
color="#ffffff">scrubbing <font color="#ffffff">boston <font
color="#ffffff">imitating <font color="#ffffff">postoffice <font
color="#ffffff">tarpaulin <font color="#ffffff">plower <font
color="#ffffff">accursed <font color="#ffffff">pompon <font
color="#ffffff">bract <font color="#ffffff">exposers <font
color="#ffffff">$RANDOM
IZE <font color="#ffffff">breadboards <font color="#ffffff">bob <font
color="#ffffff">boss <font color="#ffffff">babylon <font
color="#ffffff">everyman <font color="#ffffff">cot <font
color="#ffffff">accolade <font color="#ffffff">measles <font
color="#ffffff">beowulf <font color="#ffffff">alden <font
color="#ffffff">boy <font color="#ffffff">allan <font
color="#ffffff">exorcise <font color="#ffffff">borate <font
color="#ffffff">talent <font color="#ffffff">crestfallen <font
color="#ffffff">hunter <font color="#ffffff">council <font
color="#ffffff">explored <font color="#ffffff">metro <font
color="#ffffff">sealant <font color="#ffffff">pools <font
color="#ffffff">mathematician <font color="#ffffff">horsedom <font
color="#ffffff">court <font color="#ffffff">bosonic <font
color="#ffffff">tasting <font color="#ffffff">expedition <font
color="#ffffff">bluestocking <font color="#ffffff">boxcar <font
color="#ffffff">$RANDOMI
ZE <font color="#ffffff">bamberger <font color="#ffffff">horsedom <font
color="#ffffff">added <font color="#ffffff">hydro <font
color="#ffffff">pleas <font color="#ffffff">hospitalize <font
color="#ffffff">scholastics <font color="#ffffff">crouch <font
color="#ffffff">boardinghouses <font color="#ffffff">bounteously <font
color="#ffffff">portal poultry methodicalness agatha posterior ethology
booking pleading teaspoon coupling scarify</body>
</html>

As you can see there's extensive use of a white font color which obscures
the many random words that have been inserted in order to subvert signature
checking.

URL indirection is used to reference the offending URL's,

<a
href="http://srd.yahoo.com/drst/hymns/*http://www.365pharm1.com/ex/index.htm
l">

Interestingly, these spam wizards have also found that they can add random
words after the server's top-level name, but before the indirection, without
disrupting the indirection.

SA scores it as follows:

X-Spam-Status: No, hits=2.2 required=5.0
tests=AWL,HTML_60_70,HTML_FONT_INVISIBLE,
        HTML_MESSAGE,MIME_HTML_ONLY,MSGID_FROM_MTA_HEADER autolearn=no
        version=2.60-cvs

-----

Any ideas on additional filters that can be added to detect these spams?
Would URL indirection be a useful signal? Any suggestions on a pattern that
will detect URL indirection?




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] those pesky small v*agra ads

Reply via email to