> -----Original Message-----
> From: John Hardin [mailto:jhar...@impsec.org]
> Sent: Wednesday, March 25, 2009 5:40 PM
> To: Ernie Dunbar
> Cc: users@spamassassin.apache.org
> Subject: Re: Colored-in table attack.
>
> On Wed, 25 Mar 2009, Ernie Dunbar wrote:
>
> > Detection of such a message is a piece of cake. Any message
> containing a
> > Very Large html table (even more than 50 table data fields, or one
> that
> > is disproportionately wide could qualify) could trigger such a test,
> but
> > I have no idea about how to do a count like that in a regular
> > expression. In fact, as far as I know, you can't.
> >
> > Does this mean that there's no meaningful way to test for this in
> > Spamassassin?
>
> Unfortunately no, at least at this time. rawbody rules don't do
> multiline
> matching (which would allow column counting), and rules in general are
> just hit-or-miss, not hit-N-times.
So why this actually works to me?
rawbody LARGETABLE
m'<tr\W(?:[^<]|<(?!t[dr]\W))*(?:<td\W(?:[^<]|<(?!t[rd]\W))*){30,}</tr'is
Got SA 3.2.4.
Giampaolo
>
> Try what I just posted. It's not perfect bu it's better than nothing at
> all.
>
> > Example table follows:
>
> Please don't do that.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Politicians never accuse you of "greed" for wanting other people's
> money, only for wanting to keep your own money. -- Joseph Sobran
> -----------------------------------------------------------------------
> 63 days since Obama's inauguration and still no unicorn!
