You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/01/19 02:04:55 UTC

[Bug 2947] New: RFE: Test to catch invalid HTML Obfuscation

http://bugzilla.spamassassin.org/show_bug.cgi?id=2947

           Summary: RFE: Test to catch invalid HTML Obfuscation
           Product: Spamassassin
           Version: 2.62
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Rules
        AssignedTo: spamassassin-dev@incubator.apache.org
        ReportedBy: cgrady@the-magi.us


I've been getting a lot of spam emails recently that try to sneak by spam
filters by adding a lot of </randomword> invalid tags inside their message.


Examples:

<p>Ban</recovery>ned C</yardstick>D Gov</spacecraft>ernment d</aesthetic>on't
wan</lanky>t m</delia>e t</kittle>o s</bureaucratic>ell i</simplex>t.
Se</hedgehog>e N</sonority>ow _</p>

<p>Fr</copperas>ee Ca</erasure>bleTV!N</elsewhere>o mo</on>re
p</selfridge>ay!%RND_SYB</p>


The second example also brings up another request, but that'll go in another
bug, if it isn't already reported.

Anyway, I wrote my own test in local.cf that catches these so I thought I'd
share it as a possible addition.

rawbody HTML_OBFUSCATION        /([\w\s!%]{2,}<\/[\w]+>){3,}/
describe HTML_OBFUSCATION       Cra</foo>p Li</bar>e Th</baz>is

I noticed in another bug that you were trying to get away from rawbody tests,
but I figured this could still be helpful.

This could also be restricted a bit by forcing it to match inside of <p> and
</p>, as all the ones I've seen so far have had that wrapping it, but all it
would take is spammers removing the <p></p> and it would bypass it.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.