Hi Bill,
Two SA rules to help immediately with this are:
### I wrapped the rawbody line to keep the integrity of the rule.
# Invisible text color in font tag
rawbody MY_RBDY_INVSTXT
/<font.* color=("?\#?FFFFF[0-9A-F]"?|"?white"?).*>/i
describe MY_RBDY_INVSTXT MY: Invisible text color
score MY_RBDY_INVSTXT 2.0
# Obfuscate text by using ISO 8859-1 character set DEC encoding
rawbody MY_RBDY_OBFU_ISOD /&\#(6[5-9]|[7-9][0-9]|1[0-1][0-9]|12[0-6])\D/
describe MY_RBDY_OBFU_ISOD MY: OBFU text with ISO DEC set
score MY_RBDY_OBFU_ISOD 4.0
If you ever get HEX encoding, you can use:
# Obfuscate text by using ISO 8859-1 character set HEX encoding
rawbody MY_RBDY_OBFU_ISOH /\%(4[1-9]|[5-7][0-9]|[4-6][A-F]|7[A-E])\D/i
describe MY_RBDY_OBFU_ISOH MY: OBFU text with ISO HEX set
score MY_RBDY_OBFU_ISOH 4.0
--Larry
> -----Original Message-----
> From: Bill Polhemus [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 13, 2003 9:15 PM
> To: 'SA'
> Subject: [SAtalk] More HTML Obfuscation: This One Made It Through
>
>
>
> Here's another one from a batch of several that have gotten
> through SA 2.55 over the last several days. They use the
> spurious HTML tags to break up the text and get it through
> the Bayesian filter.
>
> I'm running these through every time I get one--and luckily,
> there've only been about one or two per day--but I wonder how
> long until they're ALL coming through in this fashion!
>
> ================== BEGIN INCLUDED SPAM MESSAGE TEXT
> ================
>
> <font face="Arial"><font color="#FFFFF2">argumentation scabby
> writhe</font><br> Have SEVERE PAIN?<BR>Get SO-MA, Ul-tram,
> FIORI-CET<BR>ALL NAME BRAND !<font color="#FFFFF2"><br> dent
> unerring attract</font><BR>Like to
> SHED a few pounds?<BR>IONA-MIN, ADI-PEX, TENU-ATE, MORE<br>
> <font color="#FFFFFE">chub let skeptic</font><br> Others:<br>
> AM-BIEN, ZO-LOFT, VIA-GRA, TRAMA-DOL</font><p><font
> face="Arial">AND MUCH MORE!</font><font color="#FFFFF8"
> face="Arial"><br> lingo tonneau allegation</font><font
> face="Arial"><br> NO doctor's appointments
> - NO previous pre-scriptions required.<BR>Online 24 discreet,
> Secure
>
> Ordering.<br>
> </font>
> <font color="#FFFFF8" face="Arial">softball involuntarily
> cranial</font><font face="Arial"><BR>US physicians and FDA
> Approved Pre-scriptions with <br> discreet delivery
> and packaging right to your home or office.<br>
> <font color="#FFFFF8">fairy printing ruggedly</font><BR>We
> carry one of the largest
> pharmaceutical inventories on the net today.<BR>Weight Loss -
> Women's Health
> -
> Men's Health - and more.<br>
> <font color="#FFFFF4">gerardo hapless stocky</font><BR>
> <BR><A
> href="http://ewtajsland.b
> iz/&
> #114;mp6651/">Visit_to_begin_your_order<
> /A></B></font>
> </p>
> <p><font face="Arial"><font color="#FFFFF2">betake nastiness
> unmask</font><br> </font></p> <p><font face="Arial"
> size="1"> <a
> href="http://ewtajsland&;
> #46;biz/u
> nsubscribe.ddd">Please_Se
> nd_No_More</a>
> </font>
> <font color="#FFFFF6">BqkVCx-ws1FBCGJ-GlDiwJ</font></p>
>
> =================== END INCLUDED SPAM MESSAGE TEXT
> =================
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
