You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by ha...@t-online.de on 2005/06/16 09:42:24 UTC

VIA*

I just received some spam built like
V<span style="display: none"> some words </span>I<span style="display: none"> more text </span>I
Is there any way to detect these?

Wolfgang Hamann

Re: rewrite_header Subject

Posted by jdow <jd...@earthlink.net>.

From: "Matt Kettler" <mk...@evi-inc.com>

> Rick Macdougall wrote:
>
> > rewrite_header subject *****SPAM(_SCORE_)*****
> >
> > man Mail::SpamAssassin::Conf is your friend
>
> For completeness, two caveats apply to this.
>
> 1) the above syntax is for SA 3.0.0 or higher. 2.xx won't make sense of
it.
>
> 2) If you are using a MTA integration tool that does it's own markups
> (MailScanner, possibly qmail-scanner and mimedefang), then this setting
won't do
> anything.

And if it will work this one will work better:
*****SPAM***** _SCORE(00)_ **

That will clearly mark spam and give a nice three digit score that can
be alpha sorted in your spam directory. That makes going through spam
a breeze. I effectively never see the higher score spam subjects. I just
look at the low scores, cull a few for Bayes training and false markups.
Then I delete the lot. (Sometimes I setup awkward test rules with really
high scores. That means I take a look at the high end of the list to see
if they hit the way I want. These are for things I consider "sure spam",
most of the time. Then I adjust the scores to something sane.)

{^_-}

Re: rewrite_header Subject

Posted by Matt Kettler <mk...@evi-inc.com>.

Rick Macdougall wrote:

> rewrite_header subject *****SPAM(_SCORE_)*****
> 
> man Mail::SpamAssassin::Conf is your friend

For completeness, two caveats apply to this.

1) the above syntax is for SA 3.0.0 or higher. 2.xx won't make sense of it.

2) If you are using a MTA integration tool that does it's own markups
(MailScanner, possibly qmail-scanner and mimedefang), then this setting won't do
anything.

Re: rewrite_header Subject

Posted by Rick Macdougall <ri...@nougen.com>.

lists@zeta.net wrote:

> Hello,
>
> a while back, someone mentioned that they had configured SA to modify
> the subject to include the SA score like:
>
> *****SPAM(10.2)*****
>
> Is this easy to do?  What is the syntax to acheive this in my local.cf 
> file?
>
> Regards,
> Devin

Hi,

rewrite_header subject *****SPAM(_SCORE_)*****

man Mail::SpamAssassin::Conf is your friend


Rick

rewrite_header Subject

Posted by li...@zeta.net.

Hello,

a while back, someone mentioned that they had configured SA to modify
the subject to include the SA score like:

*****SPAM(10.2)*****

Is this easy to do?  What is the syntax to acheive this in my local.cf file?

Regards,
Devin

Re: VIA*

Posted by Chris Stone <cs...@axint.net>.

On Thursday 16 June 2005 01:42 am, hamann.w@t-online.de wrote:
> I just received some spam built like
> V<span style="display: none"> some words </span>I<span style="display:
> none"> more text </span>I Is there any way to detect these?

Here's what I use:

rawbody SENET_DISPNONE     /\<span.+style=.+display:\s?none/i
describe SENET_DISPNONE    Hidden text via css attributes
score SENET_DISPNONE    2.15

Re: VIA*

Posted by Loren Wilton <lw...@earthlink.net>.

> I just received some spam built like
> V<span style="display: none"> some words </span>I<span style="display:
none"> more text </span>I
> Is there any way to detect these?

Sure.  rawbody or full rule.

        Loren

Re: VIA*

Posted by Christian Recktenwald <sp...@citecs.de>.

On Thu, Jun 16, 2005 at 09:42:24AM +0200, hamann.w@t-online.de wrote:
> I just received some spam built like
> V<span style="display: none"> some words </span>I<span style="display: none"> more text </span>I
> Is there any way to detect these?

If I run this through SA I get:

 3.1 HTML_OBFUSCATE_40_50   BODY: Message is 40% to 50% HTML obfuscation
 1.0 J_BACKHAIR_14          FULL: 1 letters - Unsightly html tag - 4

so you may want to increase the score for J_BACKHAIR_14 ...
backhair is published on SARE

-- 
Christian Recktenwald      :                         :
citecs GmbH                :                         :
Unternehmensberatung fuer  : voice +49 711 601 2090  : Boeblinger Strasse 189
EDV und Telekommunikation  : fax   +49 711 601 2092  : D-70199 Stuttgart

Re: VIA*

Posted by Kevin Golding <ke...@caomhin.demon.co.uk>.

In article <42...@amadeus3.local>, hamann.w@t-
online.de writes
>I just received some spam built like
>V<span style="display: none"> some words </span>I<span style="display: none"> 
>more text </span>I
>Is there any way to detect these?

Working on the logic that display:none is highly unlikely to ever appear
in ham I have the following rule, albeit scored fairly low for now.

rawbody     CSS_HIDDEN1 /(?:display\s*:\s*none)/i

Probably someone better than I will be able to improve on it but...

Kevin

Re: VIA*

Posted by Kai Schaetzl <ma...@conactive.com>.

 wrote on Thu, 16 Jun 2005 09:42:24 +0200:

> V<span style="display: none"> some words </span>I<span style="display: none"> more text 
> </span>I 
> Is there any way to detect these?

detect this: <span style="display: none"> ???

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

V*I*A*

Re: rewrite_header Subject

Re: rewrite_header Subject

Re: rewrite_header Subject

rewrite_header Subject

Re: V*I*A*

Re: V*I*A*

Re: V*I*A*

Re: V*I*A*

Re: V*I*A*

VIA*

Re: VIA*

Re: VIA*

Re: VIA*

Re: VIA*

Re: VIA*