> Yes, this would be possible.
>
> describe MY_RBDY_EXSV_TAG MY: Excessive HTML Tags
> rawbody MY_RBDY_EXSV_TAG /<[bi]><\/[bi]>/i
> score MY_RBDY_EXSV_TAG 4.0
>
> Backhair did not hit because the number of characters within the tag
is
> fewer than 6. Creating rules to match fewer than 6 characters within
the
> tag delimiters creates false positives. You will most certainly need
to
> score it how you want rather than the arbitrary number I supplied.
>
> --Larry
I've been using similar rules without havoc. The font/font could be
much better, I was just lazy and wrote it just for the spam I had and
haven't gotten around to tweaking that one. You could include some
more, I just threw these in.
rawbody J_HTML_FNTFNT /<font color\=\#.{0,6}><\/font>/i
score J_HTML_FNTFNT 1.0
rawbody J_HTML_I_I /<i><\/i>/i
score J_HTML_I_I 1.0
rawbody J_HTML_B_B /<b><\/b>/i
score J_HTML_B_B 1.0
rawbody J_HTML_LI_LI /<li><\/li>/i
score J_HTML_LI_LI 1.0
rawbody J_HTML_UL_UL /<ul><\/ul>/i
score J_HTML_UL_UL 1.0
rawbody J_HTML_U_U /<u><\/u>/i
score J_HTML_U_U 1.0
But this was for obfuscating <b></b>phrases rather than words. I did
several so I wouldn't have to score them as high. They wouldn't do
diddly for the score in Mark's example, that's the first I've seen those
tags as 'popcorn' in the source. I figured it was coming based on the
other little evasive things they're doing. (many unsuccessful) The key
is keep doing secret tweaks to your P&B as they change their style,
mustn't show all your cards. ;) but a tweak on P&B wouldn't be
practical in this case. (in my inexperienced opinion) Perhaps it's time
for a new set. That would be an easy technique to stop them from using
lest they get tagged. When I get some time, I'll play around.
Jennifer
> -----Original Message-----
> From: Mark Ritchie [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 29, 2003 8:14 AM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Exessive HTML Code
>
>
> I've added the popcorn, blackhair, and weeds rules a while back, but
I've
> noticed that I'm still getting quite a few spams messages per day. It
> always seems to be the most offensive porn and such that makes it
through.
>
> Here is an example of the source that get's through
>
> <HTML><html>
> <body bgcolor="#FFFFFF">
> <p> NOT m<i></i>atu<b></b>re<i></i>,
> e<i></i>xpe<i></i>ri<i></i>enc<i></i>ed. NOT cheat<i></i>ing, on
> t<b></b>he
> s<i></i>i<i></i>de. <br>
> <b></b>NOT fli<i></i>rtin<i></i>g <b></b>- t<b></b>h<i></i>i<b></b>s
is
> 2003's fine<i></i>st a<i></i>l<b></b>t<b></b>er<b></b>na<b></b>tive
dating
> lifes<b></b>tyl<i></i>e <b></b>sol<i></i>ut<i></i>io<i></i>n
> w<i></i>it<i></i>h
> tho<i></i>u<i></i>sands o<i></i>f h<b></b>or<b></b>ny
> housewive<b></b>s<i></i>.<br>
> An<i></i>d <i></i>yo<b></b>u, Y<i></i>ES, Y<b></b>O<i></i>U,
<i></i>can
> g<b></b>e<b></b>t a<b></b>ccess to t<b></b>h<i></i>e
> <b></b>wh<b></b>o<i></i>le d<i></i>a<b></b>ta<b></b>ba<i></i>se of
> USA-<b></b>loc<b></b>a<i></i>te<i></i>d hou<i></i>sewi<b></b>ves
> wh<i></i>o'r<i></i>e in <i></i>fo<b></b>r
a<b></b>n<i></i>yt<b></b>hing
> -
> f<b></b>or on<b></b>e b<b></b>uck<b></b>!<br>
> HYLF<b></b>! H<b></b>ousew<b></b>iv<i></i>es You<i></i>'d Like
<b></b>to
> <b></b>Fl<b></b>ir<b></b>t and F<i></i>u<i></i>ck -
<b></b>yea<i></i>h,
> <b></b>y<i></i>ou'd de<b></b>fin<b></b>i<i></i>tely w<b></b>ant
> <i></i>to <b></b>do th<i></i>at, <i></i>wh<i></i>y on Ear<b></b>th
> <i></i>woul<b></b>d you da<b></b>te, <b></b>anyw<i></i>ays?</p>
> <p> <a
href="http://www.find-chat.com/cheating/wives.html";>Clic<b></b>k
> here
> <b></b>and p<b></b>a<b></b>y
> 1$ t<b></b>o <b></b>y<b></b>our r<i></i>ow of g<i></i>lor<i></i>ious
> ho<b></b>us<b></b>e<i></i>wife affairs!</a> </p>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <p><a href="http://www.a1hostingdirect.com/gone.html";><b></b>No
> Mor<b></b>e
> Thanks</a></p>
> </body>
> </html></HTML>
>
> Now, as you can see the trick here to fool spamassassin is the <i> and
<b>
> tags. Would it be possible to make a rule or adjust the rules so the
> <i></i> scores high? There is nothing inbetween and I'd have to say
> anyone
> sending messages like this is obviously a spammer.
>
> Mark
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive? Does it
> help you create better code? SHARE THE LOVE, and help us help
> YOU! Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
