You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2018/06/25 21:05:48 UTC

svn commit: r1834374 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Mon Jun 25 21:05:48 2018
New Revision: 1834374

URL: http://svn.apache.org/viewvc?rev=1834374&view=rev
Log:
Tweaking invisible-HTML-text obfuscation rules, adding a new test rule

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1834374&r1=1834373&r2=1834374&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Mon Jun 25 21:05:48 2018
@@ -1981,14 +1981,25 @@ score     GOOG_REDIR_HTML_ONLY
 
 
 # low S/O, apparently lots of invisible ham...
-rawbody   __STY_INVIS                   /\bstyle\s*=(?:3d)?\s*"\s*(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;|background\s*:)/i
-tflags    __STY_INVIS                   multiple, maxhits=6
-meta      __STY_INVIS_MANY              __STY_INVIS > 5
-#meta      HTML_TEXT_INVISIBLE           __STY_INVIS_MANY
-#describe  HTML_TEXT_INVISIBLE           Hidden text
-#score     HTML_TEXT_INVISIBLE           2.000   # limit
+if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+  rawbody   __STY_INVIS                   /\bstyle\s*=\s*"[^">]{0,80}(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;)/i
+  tflags    __STY_INVIS                   multiple, maxhits=6
+  meta      __STY_INVIS_MANY              __STY_INVIS > 5
+  #meta      HTML_TEXT_INVISIBLE           __STY_INVIS_MANY
+  #describe  HTML_TEXT_INVISIBLE           Hidden text
+  #score     HTML_TEXT_INVISIBLE           2.000   # limit
+endif
 # try it on span tags only...
-rawbody   __SPAN_INVIS                  /<span\s[^>]{0,80}style\s*=(?:3d)?\s*"\s*(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;|background\s*:)/i
+rawbody   __SPAN_INVIS                  /<span\s[^>]{0,200}style\s*=\s*"[^">]{0,80}(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;)[^>]{1,200}>\w/i
+
+if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+  rawbody   __FONT_INVIS                  /<font\s[^>]{1,80}(?:font-size\s*:\s*[01]px\s*;|color\s*:\s*transparent\s*;)[^>]{1,80}>\w/i
+  tflags    __FONT_INVIS                  multiple, maxhits=6
+  meta      __FONT_INVIS_MANY             __FONT_INVIS > 5
+  #meta      HTML_TEXT_INVISIBLE           __FONT_INVIS
+  #describe  HTML_TEXT_INVISIBLE           Hidden text
+  #score     HTML_TEXT_INVISIBLE           2.000   # limit
+endif
 
 # Adapted from SARE rules __SARE_HTML_SINGLET*
 rawbody   __HTML_SINGLET                />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i