You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Emmanuel Lesouef <el...@zubrowka.org> on 2006/03/22 08:57:38 UTC

HTML spam not detected

Hi all,

I get several spam that are HTML but they are not detected.

In fact, they use the <span> mark out such as in this example :

<DIV><FONT face=3DArial size=3D2>Do you want to <span style=3D"
float
:
right
"> l </span>O<span style=3D"
float
:
right
"> u </span>V<span style=3D"
float
:
right
"> u </span>E<span style=3D"
float
:
right
"> u </span>R<span style=3D"
float
:
right
"> m </span>P<span style=3D"
float
:
right
"> b </span>A<span style=3D"
float
:
right
"> y </span>Y for your <span style=3D"
float
:
right
"> j </span>M<span style=3D"
float
:
right
">

How can I modify the rules of spamassassin to deal with it ?

Thank you.

--

Emmanuel Lesouef

Re: HTML spam not detected

Posted by Jeremy Fairbrass <jf...@hotmail.com>.

Hi Emmanuel,
I have a custom rule which works nicely for me to catch those spams that use 
this HTML trick. I'll send it to you offline as I've heard it's not wise to 
post rules to the list (coz the spammers then see them) :)

Happy to send it to anyone else who asks too...

Cheers,
Jeremy


"Emmanuel Lesouef" <el...@zubrowka.org> wrote in message 
news:44210372.7010608@zubrowka.org...
> Hi all,
>
> I get several spam that are HTML but they are not detected.
>
> In fact, they use the <span> mark out such as in this example :
>
> <DIV><FONT face=3DArial size=3D2>Do you want to <span style=3D"
> float
> :
> right
> "> l </span>O<span style=3D"
> float
> :
> right
> "> u </span>V<span style=3D"
> float
> :
> right
> "> u </span>E<span style=3D"
> float
> :
> right
> "> u </span>R<span style=3D"
> float
> :
> right
> "> m </span>P<span style=3D"
> float
> :
> right
> "> b </span>A<span style=3D"
> float
> :
> right
> "> y </span>Y for your <span style=3D"
> float
> :
> right
> "> j </span>M<span style=3D"
> float
> :
> right
> ">
>
> How can I modify the rules of spamassassin to deal with it ?
>
> Thank you.
>
> --
>
> Emmanuel Lesouef
>

RE: HTML spam not detected

Posted by Raimonds Aronietis <ra...@atd.lv>.

The trick is really simple: read every second part of the text. The
other parts are moved away using <span> tag. Nice html. :)

By the way, the html looks like this in the mail:

<DIV><FONT face=Arial size=2>Hi,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Do you want to <SPAN style="FLOAT: right">c

</SPAN>O<SPAN style="FLOAT: right"> w </SPAN>V<SPAN style="FLOAT:
right"> t 
</SPAN>E<SPAN style="FLOAT: right"> o </SPAN>R<SPAN style="FLOAT:
right"> s 
</SPAN>P<SPAN style="FLOAT: right"> y </SPAN>A<SPAN style="FLOAT:
right"> h 
</SPAN>Y for your <SPAN style="FLOAT: right">b </SPAN>M<SPAN 
style="FLOAT: right"> r </SPAN>e<SPAN style="FLOAT: right"> f
</SPAN>d<SPAN 
style="FLOAT: right"> e </SPAN>i<SPAN style="FLOAT: right"> f
</SPAN>a<SPAN 
style="FLOAT: right"> y </SPAN>c<SPAN style="FLOAT: right"> o
</SPAN>t<SPAN 
style="FLOAT: right"> m </SPAN>i<SPAN style="FLOAT: right"> v
</SPAN>o<SPAN 
style="FLOAT: right"> k </SPAN>n<SPAN style="FLOAT: right"> s </SPAN>s 
?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Nothing like you need it, <SPAN 
style="FLOAT: right">n </SPAN>S<SPAN style="FLOAT: right"> q
</SPAN>a<SPAN 
style="FLOAT: right"> w </SPAN>v<SPAN style="FLOAT: right"> j </SPAN>e
over 
<SPAN style="FLOAT: right">s </SPAN>5<SPAN style="FLOAT: right"> d
</SPAN>0<SPAN 
style="FLOAT: right"> v </SPAN>% with <A 
href="http://geocities.com/AliDoStilesrdne/">http://geocities.com/AliDoS
tilesrdne/</A></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><FONT color=#0f35ee><SPAN style="FLOAT:
right">o 
</SPAN>V<SPAN style="FLOAT: right"> l </SPAN>a<SPAN style="FLOAT:
right"> c 
</SPAN>I<SPAN style="FLOAT: right"> a </SPAN>i<SPAN style="FLOAT:
right"> v 
</SPAN>u<SPAN style="FLOAT: right"> g </SPAN>m</FONT> <FONT 
color=#eb3409>$10<SPAN style="FLOAT: right"> a </SPAN>5</FONT> 3<SPAN 
style="FLOAT: right"> WF </SPAN>0&nbsp;<SPAN style="FLOAT: right"> m 
</SPAN>p<SPAN style="FLOAT: right"> x </SPAN>i<SPAN style="FLOAT:
right"> n 
</SPAN>l<SPAN style="FLOAT: right"> a </SPAN>l<SPAN style="FLOAT:
right"> c 
</SPAN>s</FONT></DIV>
<DIV><FONT face=Arial size=2><FONT color=#0f35ee><SPAN style="FLOAT:
right">p 
</SPAN>C<SPAN style="FLOAT: right"> c </SPAN>i<SPAN style="FLOAT:
right"> x 
</SPAN>a<SPAN style="FLOAT: right"> i </SPAN>I<SPAN style="FLOAT:
right"> h 
</SPAN>i<SPAN style="FLOAT: right"> t </SPAN>s</FONT> <FONT 
color=#eb3409>$9<SPAN style="FLOAT: right"> j </SPAN>9</FONT> 1<SPAN 
style="FLOAT: right"> yj </SPAN>0&nbsp;<SPAN style="FLOAT: right"> m 
</SPAN>p<SPAN style="FLOAT: right"> l </SPAN>i<SPAN style="FLOAT:
right"> n 
</SPAN>l<SPAN style="FLOAT: right"> g </SPAN>l<SPAN style="FLOAT:
right"> r 
</SPAN>s</FONT></DIV>
<DIV><FONT face=Arial size=2><FONT color=#0f35ee><SPAN style="FLOAT:
right">t 
</SPAN>V<SPAN style="FLOAT: right"> i </SPAN>i<SPAN style="FLOAT:
right"> o 
</SPAN>a<SPAN style="FLOAT: right"> n </SPAN>g<SPAN style="FLOAT:
right"> v 
</SPAN>r<SPAN style="FLOAT: right"> b </SPAN>a</FONT> <FONT 
color=#eb3409>$6<SPAN style="FLOAT: right"> v </SPAN>9</FONT> 1<SPAN 
style="FLOAT: right"> pK </SPAN>0&nbsp;<SPAN style="FLOAT: right"> p 
</SPAN>p<SPAN style="FLOAT: right"> e </SPAN>i<SPAN style="FLOAT:
right"> x 
</SPAN>l<SPAN style="FLOAT: right"> z </SPAN>l<SPAN style="FLOAT:
right"> u 
</SPAN>s</FONT></DIV>

Have fun!

Raimonds


> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of Jeremy Fairbrass
> Sent: Wednesday, March 22, 2006 12:20 PM
> To: users@spamassassin.apache.org
> Subject: Re: HTML spam not detected
> 
> 
> Was this one only in plain text, or did it include an HTML 
> part as well? Can 
> you give us the full body unaltered? Could be that it's using 
> some other 
> type of fancy HTML to make the text look like that.
> 
> Cheers,
> Jeremy
> 
> 
> "Emmanuel Lesouef" <el...@zubrowka.org> wrote in message 
> news:44211AAC.6020803@zubrowka.org...
> > Emmanuel Lesouef a écrit :
> >> Hi all,
> >>
> >> I get several spam that are HTML but they are not detected.
> >>
> >> In fact, they use the <span> mark out such as in this example :
> >>
> >
> > This one is also not detected :
> >
> >
> > "
> > n V c a n I p i o u e m $ n 105 30 lp   j p y i g l j l k s
> > c C g i j a c I i i r s $9 n 9 10 1j   o p r i a l s l a s
> > d V d i y a e g k r a a $6 h 9 10 U9   a p y i g l m l v s
> >
> > n V c a n I p i o u e m $ n 105 30 lp   j p y i g l j l k s
> > c C g i j a c I i i r s $9 n 9 10 1j   o p r i a l s l a s
> > d V d i y a e g k r a a $6 h 9 10 U9   a p y i g l m l v
> >
> > o V b a x I w i l u w m $ v 105 30 tF   l p w i u l b l a s
> > t C x i a a z I z i c s $ i 99 10 8h   r p d i j l n l r s
> > s V h i f a p g m r p a $ j 69 1 u5 0  m p u i v l a l f s
> > "
> >
> > This one is very strange, as I cannot understand the 
> meaning of it...
> >
> > Anyone got a trick ?
> >
> > PS : Thank you Jeremy for the HTML trick. :)
> >
> > --
> >
> > Emmanuel Lesouef
> > 
> 
> 
> 
>

Re: HTML spam not detected

Posted by Jeremy Fairbrass <jf...@hotmail.com>.

Was this one only in plain text, or did it include an HTML part as well? Can 
you give us the full body unaltered? Could be that it's using some other 
type of fancy HTML to make the text look like that.

Cheers,
Jeremy


"Emmanuel Lesouef" <el...@zubrowka.org> wrote in message 
news:44211AAC.6020803@zubrowka.org...
> Emmanuel Lesouef a �crit :
>> Hi all,
>>
>> I get several spam that are HTML but they are not detected.
>>
>> In fact, they use the <span> mark out such as in this example :
>>
>
> This one is also not detected :
>
>
> "
> n V c a n I p i o u e m $ n 105 30 lp   j p y i g l j l k s
> c C g i j a c I i i r s $9 n 9 10 1j   o p r i a l s l a s
> d V d i y a e g k r a a $6 h 9 10 U9   a p y i g l m l v s
>
> n V c a n I p i o u e m $ n 105 30 lp   j p y i g l j l k s
> c C g i j a c I i i r s $9 n 9 10 1j   o p r i a l s l a s
> d V d i y a e g k r a a $6 h 9 10 U9   a p y i g l m l v
>
> o V b a x I w i l u w m $ v 105 30 tF   l p w i u l b l a s
> t C x i a a z I z i c s $ i 99 10 8h   r p d i j l n l r s
> s V h i f a p g m r p a $ j 69 1 u5 0  m p u i v l a l f s
> "
>
> This one is very strange, as I cannot understand the meaning of it...
>
> Anyone got a trick ?
>
> PS : Thank you Jeremy for the HTML trick. :)
>
> --
>
> Emmanuel Lesouef
>

Re: HTML spam not detected

Posted by Loren Wilton <lw...@earthlink.net>.

> This one is also not detected :
>
>
> "
> n V c a n I p i o u e m $ n 105 30 lp   j p y i g l j l k s
> c C g i j a c I i i r s $9 n 9 10 1j   o p r i a l s l a s
> d V d i y a e g k r a a $6 h 9 10 U9   a p y i g l m l v s
>
> n V c a n I p i o u e m $ n 105 30 lp   j p y i g l j l k s
> c C g i j a c I i i r s $9 n 9 10 1j   o p r i a l s l a s
> d V d i y a e g k r a a $6 h 9 10 U9   a p y i g l m l v
>
> o V b a x I w i l u w m $ v 105 30 tF   l p w i u l b l a s
> t C x i a a z I z i c s $ i 99 10 8h   r p d i j l n l r s
> s V h i f a p g m r p a $ j 69 1 u5 0  m p u i v l a l f s
> "
>
> This one is very strange, as I cannot understand the meaning of it...
>
> Anyone got a trick ?

You have to look at the HTML, which itself is designed to be hard to read.
Or you could just load the spam in a browser and see what it will neatly do
to make these things readable.  The spam message ends up on the left side of
the screen, and the intervening garbage characters end up on the right.

For instance, that first line says something like

> n V c a n I p i o u e m $ n 105 30 lp   j p y i g l j l k s
> V a I i u m $ 105 30

    Loren

Re: HTML spam not detected

Posted by Emmanuel Lesouef <el...@zubrowka.org>.

Emmanuel Lesouef a écrit :
> Hi all,
> 
> I get several spam that are HTML but they are not detected.
> 
> In fact, they use the <span> mark out such as in this example :
> 

This one is also not detected :


"
n V c a n I p i o u e m $ n 105 30 lp   j p y i g l j l k s
c C g i j a c I i i r s $9 n 9 10 1j   o p r i a l s l a s
d V d i y a e g k r a a $6 h 9 10 U9   a p y i g l m l v s

n V c a n I p i o u e m $ n 105 30 lp   j p y i g l j l k s
c C g i j a c I i i r s $9 n 9 10 1j   o p r i a l s l a s
d V d i y a e g k r a a $6 h 9 10 U9   a p y i g l m l v

o V b a x I w i l u w m $ v 105 30 tF   l p w i u l b l a s
t C x i a a z I z i c s $ i 99 10 8h   r p d i j l n l r s
s V h i f a p g m r p a $ j 69 1 u5 0  m p u i v l a l f s
"

This one is very strange, as I cannot understand the meaning of it...

Anyone got a trick ?

PS : Thank you Jeremy for the HTML trick. :)

--

Emmanuel Lesouef