John Hardin wrote: > > exactly. they'll just change the html in the next wave. this spam isnt > new, yet the SA list is once again full of threads about exactly that > recent wave, becouse old rules dont match.
If 3.2.x does indeed implement multiline rawbody matches, then we'll be able to have a robust rule for this - e.g. an HTML email with a table that has more than 30 columns and more than 5 rows. That will be difficult to obfuscate. Hi John, by the time the detection is ready, you will get the entire message as ASCII art inside a <pre> or individual letters as ascii art, making up a table with one cell for each letter, or the same pattern made up of <img src=red.gif> <img src=white.gif> without a table In the long run we will render html to an image and then OCR it to detect the message :) Wolfgang Hamann
