Re: [sa] sneaky pharma spam shooting past standard rules

[Charles Gregory <cg...@hwcn.org>]

Ah, the old SPAN trick. I haven't seen it, so I imagine my old code is 
still catching them..... LOL

The key to this trick is the spammer tries to insert 'invisible' text.
Either very small font size, as in your example, or colors that match the 
background, or both, so that the intended wording merely appears a little 
'gappy' to the human eye. Also watch for use of the style 'visibility' 
attribute with either DIV or SPAN. Usually appears in the same 'batch' of 
spams.... :)

- Charles


On Thu, 15 Oct 2009, Jason Haar wrote:
> I just received what appeared to be a standard "certain north american
> country" pharma spam that went straight by rules I have that normally
> catch it. Within Thunderbird (and any other HTML-capable MUA) it's
> blatantly shouting its wares.  Clever usage of SPANs appear to enable it
> to sneak straight by SA.
>
> http://pastebin.com/m56d2db96
>
> Is this something SA normally has components in place to catch/parse?
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

Re: [sa] sneaky pharma spam shooting past standard rules

[John Hardin <jh...@impsec.org>]

On Thu, 15 Oct 2009, Charles Gregory wrote:

> Ah, the old SPAN trick. I haven't seen it, so I imagine my old code is 
> still catching them..... LOL

None of the existing FLOAT rules caught these.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   W-w-w-w-w-where did he learn to n-n-negotiate like that?
-----------------------------------------------------------------------
  14 days since a sunspot last seen - EPA blames CO2 emissions