You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ha...@t-online.de on 2005/06/16 09:42:24 UTC
V*I*A*
I just received some spam built like
V<span style="display: none"> some words </span>I<span style="display: none"> more text </span>I
Is there any way to detect these?
Wolfgang Hamann
Re: rewrite_header Subject
Posted by jdow <jd...@earthlink.net>.
From: "Matt Kettler" <mk...@evi-inc.com>
> Rick Macdougall wrote:
>
> > rewrite_header subject *****SPAM(_SCORE_)*****
> >
> > man Mail::SpamAssassin::Conf is your friend
>
> For completeness, two caveats apply to this.
>
> 1) the above syntax is for SA 3.0.0 or higher. 2.xx won't make sense of
it.
>
> 2) If you are using a MTA integration tool that does it's own markups
> (MailScanner, possibly qmail-scanner and mimedefang), then this setting
won't do
> anything.
And if it will work this one will work better:
*****SPAM***** _SCORE(00)_ **
That will clearly mark spam and give a nice three digit score that can
be alpha sorted in your spam directory. That makes going through spam
a breeze. I effectively never see the higher score spam subjects. I just
look at the low scores, cull a few for Bayes training and false markups.
Then I delete the lot. (Sometimes I setup awkward test rules with really
high scores. That means I take a look at the high end of the list to see
if they hit the way I want. These are for things I consider "sure spam",
most of the time. Then I adjust the scores to something sane.)
{^_-}
Re: rewrite_header Subject
Posted by Matt Kettler <mk...@evi-inc.com>.
Rick Macdougall wrote:
> rewrite_header subject *****SPAM(_SCORE_)*****
>
> man Mail::SpamAssassin::Conf is your friend
For completeness, two caveats apply to this.
1) the above syntax is for SA 3.0.0 or higher. 2.xx won't make sense of it.
2) If you are using a MTA integration tool that does it's own markups
(MailScanner, possibly qmail-scanner and mimedefang), then this setting won't do
anything.
Re: rewrite_header Subject
Posted by Rick Macdougall <ri...@nougen.com>.
lists@zeta.net wrote:
> Hello,
>
> a while back, someone mentioned that they had configured SA to modify
> the subject to include the SA score like:
>
> *****SPAM(10.2)*****
>
> Is this easy to do? What is the syntax to acheive this in my local.cf
> file?
>
> Regards,
> Devin
Hi,
rewrite_header subject *****SPAM(_SCORE_)*****
man Mail::SpamAssassin::Conf is your friend
Rick
rewrite_header Subject
Posted by li...@zeta.net.
Hello,
a while back, someone mentioned that they had configured SA to modify
the subject to include the SA score like:
*****SPAM(10.2)*****
Is this easy to do? What is the syntax to acheive this in my local.cf file?
Regards,
Devin
Re: V*I*A*
Posted by Chris Stone <cs...@axint.net>.
On Thursday 16 June 2005 01:42 am, hamann.w@t-online.de wrote:
> I just received some spam built like
> V<span style="display: none"> some words </span>I<span style="display:
> none"> more text </span>I Is there any way to detect these?
Here's what I use:
rawbody SENET_DISPNONE /\<span.+style=.+display:\s?none/i
describe SENET_DISPNONE Hidden text via css attributes
score SENET_DISPNONE 2.15
Re: V*I*A*
Posted by Loren Wilton <lw...@earthlink.net>.
> I just received some spam built like
> V<span style="display: none"> some words </span>I<span style="display:
none"> more text </span>I
> Is there any way to detect these?
Sure. rawbody or full rule.
Loren
Re: V*I*A*
Posted by Christian Recktenwald <sp...@citecs.de>.
On Thu, Jun 16, 2005 at 09:42:24AM +0200, hamann.w@t-online.de wrote:
> I just received some spam built like
> V<span style="display: none"> some words </span>I<span style="display: none"> more text </span>I
> Is there any way to detect these?
If I run this through SA I get:
3.1 HTML_OBFUSCATE_40_50 BODY: Message is 40% to 50% HTML obfuscation
1.0 J_BACKHAIR_14 FULL: 1 letters - Unsightly html tag - 4
so you may want to increase the score for J_BACKHAIR_14 ...
backhair is published on SARE
--
Christian Recktenwald : :
citecs GmbH : :
Unternehmensberatung fuer : voice +49 711 601 2090 : Boeblinger Strasse 189
EDV und Telekommunikation : fax +49 711 601 2092 : D-70199 Stuttgart
Re: V*I*A*
Posted by Kevin Golding <ke...@caomhin.demon.co.uk>.
In article <42...@amadeus3.local>, hamann.w@t-
online.de writes
>I just received some spam built like
>V<span style="display: none"> some words </span>I<span style="display: none">
>more text </span>I
>Is there any way to detect these?
Working on the logic that display:none is highly unlikely to ever appear
in ham I have the following rule, albeit scored fairly low for now.
rawbody CSS_HIDDEN1 /(?:display\s*:\s*none)/i
Probably someone better than I will be able to improve on it but...
Kevin
Re: V*I*A*
Posted by Kai Schaetzl <ma...@conactive.com>.
wrote on Thu, 16 Jun 2005 09:42:24 +0200:
> V<span style="display: none"> some words </span>I<span style="display: none"> more text
> </span>I
> Is there any way to detect these?
detect this: <span style="display: none"> ???
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org