You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Aleksander Adamowski <al...@altkom.pl> on 2004/02/23 19:20:03 UTC

Re: Testing markup tags

John Hardin wrote:

>On Mon, 2004-02-23 at 10:03, Aleksander Adamowski wrote:
>  
>
>>More specifically, when there's a dangling attribute value like this in 
>>HTML source:
>>
>><font color=
>>
>>#feefea>
>>    
>>
>Hmm.
>
>Perhaps SA should have a test similar to the URI test, named perhaps
>"tag", that matches a single markup tag with all line breaks removed,
>obfuscation encodings decoded, whitespace collapsed, etc...
>  
>
Agreed, but ideally HTML::Parser (or whatever parses those font tags) 
should be made resistant to such simple attacks. Mozilla and IE 
correctly interpret the color attribute of that mangled tag, so Perl 
HTML::Parser should too...

BTW I've notice that mu MUA has snipped the trailing space, so those 
samples of font tag were identical. The problematic font tag has a line 
break instantly after "color=" in the original spam message, and this 
fools the HTML parser.

-- 
Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575 
	http://olo.ab.altkom.pl

Re: Testing markup tags

Posted by Aleksander Adamowski <al...@altkom.pl>.

John Hardin wrote:

>ITYM it fools recipes that expect the tag to all be on a single line,
>which is my point. I don't think SA is actually parsing the HTML (beyond
>the uri stuff).
>  
>
That's a pity, using a standard HTML parsing module from CPAN would 
offload the work involving handling of maliciously malformed HTML syntax 
to that external module and its maintainer.

This would provide a much more similar behaviour to MUA's like Outlook, 
Mozilla Mail or KMail WRT HTML interpretation, which is a good thing. 
The chance would be bigger that if the user sees something in a certain 
way, then SpamAssassin engine sees too.

Anyway, I've published samples of that malicouis spam here:
<http://olo.ab.altkom.pl/domowa/spam/samples/low_contrast/>

You can check for yourself how these are handled by your installation of SA.

-- 
Best Regards,
  Aleksander Adamowski
    GG#: 274614
    ICQ UIN: 19780575 
  http://olo.ab.altkom.pl