http://bugzilla.spamassassin.org/show_bug.cgi?id=3139
Summary: Need rendering rule to delete "tiny fonts"
Product: Spamassassin
Version: unspecified
Platform: Other
OS/Version: other
Status: NEW
Severity: enhancement
Priority: P3
Component: Rules
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
A fairly typical obfuscation these days is to put letters, symbols, and small
groups in the middle of a word, using either a 0 or 1 point/pixel font. The
rendered result on the screen is the Evil Word with at most a small blip in
it. The result of rendering the html down to text, ignoring fonts, is the
obfuscated Evil Word.
Now granted, in most cases we can catch these either because of the small font,
or detecting a match on the obfuscated word anyway. However, an OPTIONAL
option on some test object (let us say for argument, 'body'), that would delete
the stuff in the tiny font, would end up rendering the Evil Word itself to
text, where it can be easily detected, probably without even time-consuming
obfuscation checks.
Clearly having such an option, and using it, would mean potentially rendering
the html twice, which is extra overhead. Thus, this form of the object
probably shouldn't be rendered unless specifically asked for. It probably
would require a very minor extra amount of smarts in the html renderer (to
recognize small fonts as such).
Such a rendering method might also be interesting as the feeder to Bayes.
Presumably the results would be less-obfuscated words that the current stuff,
and might (or might not) result in better hit rates.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
