Ah, the old SPAN trick. I haven't seen it, so I imagine my old code is
still catching them..... LOL
The key to this trick is the spammer tries to insert 'invisible' text.
Either very small font size, as in your example, or colors that match the
background, or both, so that the intended wording merely appears a little
'gappy' to the human eye. Also watch for use of the style 'visibility'
attribute with either DIV or SPAN. Usually appears in the same 'batch' of
spams.... :)
- Charles
On Thu, 15 Oct 2009, Jason Haar wrote:
I just received what appeared to be a standard "certain north american
country" pharma spam that went straight by rules I have that normally
catch it. Within Thunderbird (and any other HTML-capable MUA) it's
blatantly shouting its wares. Clever usage of SPANs appear to enable it
to sneak straight by SA.
http://pastebin.com/m56d2db96
Is this something SA normally has components in place to catch/parse?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
