clever s p a m

[Matt Kettler]

You didn't state what version of SA you are using, however current versions
of SA should at least catch most cases of this stuff
as  OBFUSCATING_COMMENT. It does appear however that multi-part messages
(ie: ones that aren't HTML only) are exempt from the OBFUSCATING_COMMENT
rule for the time being due to FPs in text-plain mime parts.

All rules (except rawbody ones) should be matched after HTML tags and mime
decoding is done, however last I checked there was still some clean-up of
the HTML parsing going on. Some malformed/invalid HTML tags weren't being
stripped because they confused the parser. I'm not sure if all/most of
these are fixed in 2.52 or not, but I know there was a heavy push to get
some HTML parsing issues fixed before 2.50 was out.

Also you should note that in 2.5x the viagra rules have changed, and this
message here shouldn't fire on them (they now look for phrase combinations
such as herbal or natural varieties, all caps, or viagra in the subject.)

There's a lot of talk over on SA-Talk regarding some of the not-so-new
tricks of using HTML comments, and punctuation marks to obfuscate phrases,
and there should be a fair amount of development writing newer, better
rules for these soon (2.5x was really pushing to get bayes out, so wasn't
very rule-development heavy).


At 03:44 PM 4/3/2003 +0100, Sylvain Phaneuf wrote:
>Hi everyone,
>
>We have come across some spam html messages that contain some meaningless
>tags that break up keywords like v i a g r a.
>
>As mailscanner/spamassassin must look at the mime message, and not the
>decoded html part, these messages do not trigger big scores and are not
>blocked.
>
>Is there a way these could be blocked?   see example below my signature
>
>Sylvain
>===========================================================
>Sylvain Phaneuf --- Computing Manager   | phone : +44 (0)1865 221323
>Information Management Services Unit  -  Medical Sciences Division
>Oxford University                               | email :
>sylvain.phaneuf at imsu.ox.ac.uk
>Room 3A25B John Radcliffe Hospital      | fax :  +44 (0) 1865 221322
>Oxford   OX3 9DU   England
>===========================================================
>
>
>Generic Viagra is now available to consumers
>As low as $2.70 per dose (50 mg)
>No Doctor's Consutation required
>"Silagra is as good as Viagra - just cheaper!"
>Costs over 65% less than Brand Name
>(Generic Sildenafil Citrate (Silagra)
>and Viagra. both consist of 100 mg of
>sildenafil citrate)
>Private delivery to your home within 14 working days
>of payment verification - FREE SHIPPING
>100% Money Back Guarantee - The First
>Pharmaceutical to ever be guaranteed.
>