You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Devon Harding <de...@gmail.com> on 2005/05/01 04:37:46 UTC
Re: HTML Table SPAM?
There's got to be a way to stop this. I'm getting over 100 of these a day.
-Devon
On 4/30/05, Bret Miller <br...@wcg.org> wrote:
>
> In an older episode (Saturday 30 April 2005 16:03), Devon Harding wrote:
> >> Has any seen these kind of SPAM passing through? Where the SPAMMER
> >> would use HTML tables to separate the offensive content? The words
> >> looks clear when received, but every two letters are separated by a
> >> table.
> >
> > there have been attempts to write rules for such mails here, one
> message had
>
> > Subject: Re: Tables obscuring words
>
> > i am not sure if those attempts were successful yet.
>
> Well, they haven't yet worked here. Or maybe they have and the
> obfuscation has just gotten more complex.
>
> Bret
>
>
[SARE] obfu rule set update
Posted by Robert Menschel <Ro...@Menschel.net>.
RM> Monday, May 9, 2005, 11:30:36 AM, Devon wrote:
DH>> Many thanks to Bob on the recent SARE rules release. This
DH>> caught those HTML Table SPAMS!!!
RM> But I notice there was no description on those report lines. I'll
RM> have that fixed by the weekend.
With the help of several SARE mass-checkers, we not only have the
description lines fixed, but a number of additional rules. Should be
even better at catching the current series of obfuscations and table
spams.
Updated 70_sare_obfu.cf, obfu0.cf, and obfu1.cf
(obfu.cf contains both obfu0.cf and obfu1.cf as one file).
Bob Menschel
Re[4]: HTML Table SPAM? ** RESOLVED **
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Devon,
Monday, May 9, 2005, 11:30:36 AM, you wrote:
DH> Many thanks to Bob on the recent SARE rules release. This
DH> caught those HTML Table SPAMS!!!
But I notice there was no description on those report lines. I'll
have that fixed by the weekend.
Bob Menschel
Re: Re[2]: HTML Table SPAM? ** RESOLVED **
Posted by Devon Harding <de...@gmail.com>.
Many thanks to Bob on the recent SARE rules release. This caught those HTML
Table SPAMS!!!
0.05FORGED_RCVD_HELOReceived: contains a forged HELO 0.07
HTML_FONT_INVISIBLEHTML font color is same as background 0.00HTML_MESSAGEHTML
included in message 0.60J_CHICKENPOX_121alpha-pock-2alpha 0.60
J_CHICKENPOX_151alpha-pock-5alpha 0.14RCVD_IN_SORBS_DULSORBS: sent directly
from dynamic IP address 0.16SARE_HTML_FONT_INVIS2contains HTML color which
is likely spamsign 0.12SARE_HTML_URI_2SLASHURI has additional double slash
within it 1.46SARE_HTML_USL_OBFUMessage body has very strange HTML sequence
2.67SARE_OBFU_PRICE1 2.22SARE_OBFU_VISIT1 -0.00SPF_HELO_PASSSPF: HELO
matches SPF record
On 5/5/05, Robert Menschel <Ro...@menschel.net> wrote:
>
> Hello Devon,
>
> Thursday, May 5, 2005, 6:02:58 PM, you wrote:
>
> DH> Anyone?
>
> DH> On 4/30/05, Devon Harding <de...@gmail.com> wrote:
> DH> There's got to be a way to stop this. I'm getting over 100 of these a
> day.
>
> Making progress...
>
> #counts SARE_OBFU_DRUGDOL1_SPC 2496s/0h of 284851 corpus (112429s/172422h
> RM) 05/04/05
> #counts SARE_OBFU_GPIL_TAG 890s/0h of 284851 corpus (112429s/172422h RM)
> 05/04/05
> #counts SARE_OBFU_LEVITRA_SPC 2723s/5h of 284851 corpus (112429s/172422h
> RM) 05/04/05
> modified regex to try to eliminate the ham
> #counts SARE_OBFU_ONLY_SPC 2750s/2h of 284851 corpus (112429s/172422h RM)
> 05/04/05
> #counts SARE_OBFU_ONLY_TAG 897s/0h of 284851 corpus (112429s/172422h RM)
> 05/04/05
> #counts SARE_OBFU_SPECIAL_TAG 897s/0h of 284851 corpus (112429s/172422h
> RM) 05/04/05
> #counts SARE_OBFU_VIAGRA_SPC 4729s/5h of 284851 corpus (112429s/172422h
> RM) 05/04/05
> modified regex to try to eliminate the ham
>
> I hope to send the zero ham rules for full SARE mass-check in the next
> day or two, and publish them within the 70_sare_obfu0.cf rule set some
> time this weekend.
>
> I have a few more rules that don't yet work but show promise...
>
> Bob Menschel
>
>
Re[2]: HTML Table SPAM?
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Devon,
Thursday, May 5, 2005, 6:02:58 PM, you wrote:
DH> Anyone?
DH> On 4/30/05, Devon Harding <de...@gmail.com> wrote:
DH> There's got to be a way to stop this. I'm getting over 100 of these a day.
Making progress...
#counts SARE_OBFU_DRUGDOL1_SPC 2496s/0h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_GPIL_TAG 890s/0h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_LEVITRA_SPC 2723s/5h of 284851 corpus (112429s/172422h RM) 05/04/05
modified regex to try to eliminate the ham
#counts SARE_OBFU_ONLY_SPC 2750s/2h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_ONLY_TAG 897s/0h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_SPECIAL_TAG 897s/0h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_VIAGRA_SPC 4729s/5h of 284851 corpus (112429s/172422h RM) 05/04/05
modified regex to try to eliminate the ham
I hope to send the zero ham rules for full SARE mass-check in the next
day or two, and publish them within the 70_sare_obfu0.cf rule set some
time this weekend.
I have a few more rules that don't yet work but show promise...
Bob Menschel
Re: HTML Table SPAM?
Posted by Devon Harding <de...@gmail.com>.
Anyone?
On 4/30/05, Devon Harding <de...@gmail.com> wrote:
>
> There's got to be a way to stop this. I'm getting over 100 of these a day.
>
> -Devon
>
> On 4/30/05, Bret Miller <br...@wcg.org> wrote:
> >
> > In an older episode (Saturday 30 April 2005 16:03), Devon Harding wrote:
> > >> Has any seen these kind of SPAM passing through? Where the SPAMMER
> > >> would use HTML tables to separate the offensive content? The words
> > >> looks clear when received, but every two letters are separated by a
> > >> table.
> > >
> > > there have been attempts to write rules for such mails here, one
> > message had
> >
> > > Subject: Re: Tables obscuring words
> >
> > > i am not sure if those attempts were successful yet.
> >
> > Well, they haven't yet worked here. Or maybe they have and the
> > obfuscation has just gotten more complex.
> >
> > Bret
> >
> >
>