I thought up an idea for this, insted of trying to detect the white text in
general, why not try to detect the patterns the spammers are using with
them.. Take the following rules as an example:
rawbody FVGT_rb_WHITE_6_WHITE /fffff[f0-9].{6}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_6_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_6_WHITE 1.0
rawbody FVGT_rb_WHITE_7_WHITE /fffff[f0-9].{7}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_7_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_7_WHITE 1.0
rawbody FVGT_rb_WHITE_8_WHITE /fffff[f0-9].{8}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_8_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_8_WHITE 1.0
rawbody FVGT_rb_WHITE_9_WHITE /fffff[f0-9].{9}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_9_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_9_WHITE 1.0
rawbody FVGT_rb_WHITE_10_WHITE /fffff[f0-9].{10}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_10_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_10_WHITE 1.0
rawbody FVGT_rb_WHITE_11_WHITE /fffff[f0-9].{11}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_11_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_11_WHITE 1.0
rawbody FVGT_rb_WHITE_12_WHITE /fffff[f0-9].{12}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_12_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_12_WHITE 1.0
rawbody FVGT_rb_WHITE_13_WHITE /fffff[f0-9].{13}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_13_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_13_WHITE 1.0
rawbody FVGT_rb_WHITE_14_WHITE /fffff[f0-9].{14}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_14_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_14_WHITE 1.0
rawbody FVGT_rb_WHITE_15_WHITE /fffff[f0-9].{15}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_15_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_15_WHITE 1.0
rawbody FVGT_rb_WHITE_16_WHITE /fffff[f0-9].{16}<font.{7,25}fffff/i
describe FVGT_rb_WHITE_16_WHITE Has white color, a word, then white color.
score FVGT_rb_WHITE_16_WHITE 1.0
This might be a better approach to detecting these messages. Not all
messages which use invisible text will trigger on these rules but it'll find
those that send messages like your example. My mass check shows this:
OVERALL SPAM HAM S/O SCORE NAME
46880 32070 14810 0.684 0.00 0.00 (all messages)
50 50 0 1.000 1.00 1.00 FVGT_rb_WHITE_12_WHITE
47 47 0 1.000 0.88 1.00 FVGT_rb_WHITE_14_WHITE
46 46 0 1.000 0.85 1.00 FVGT_rb_WHITE_13_WHITE
45 45 0 1.000 0.81 1.00 FVGT_rb_WHITE_16_WHITE
40 40 0 1.000 0.62 1.00 FVGT_rb_WHITE_15_WHITE
36 36 0 1.000 0.46 1.00 FVGT_rb_WHITE_11_WHITE
30 30 0 1.000 0.23 1.00 FVGT_rb_WHITE_9_WHITE
30 30 0 1.000 0.23 1.00 FVGT_rb_WHITE_10_WHITE
30 30 0 1.000 0.23 1.00 FVGT_rb_WHITE_8_WHITE
27 27 0 1.000 0.12 1.00 FVGT_rb_WHITE_7_WHITE
24 24 0 1.000 0.00 1.00 FVGT_rb_WHITE_6_WHITE
At least the mass-check says these rules are safe ;) Not exactly extremely
effective but they appear to be safe!
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
