http://bugzilla.spamassassin.org/show_bug.cgi?id=3661
Summary: Request for HTML de-obfuscation of invisible SPAN's
Product: Spamassassin
Version: 2.63
Platform: All
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Rules
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
Hi, this bug is to request that SpamAssassin's HTML parser remove SPAN tags
which have a STYLE attribute containing "display:none" (which therefore makes
them invisible). The reason for this is that this morning I got a juicy spam,
part of which I quote here (in raw format):
---BEGIN QUOTE---
Loads of cool soft at incredibly lo<SPAN
STYLE="display:none">gqthcgc</SPAN>w p<SPAN
STYLE="display:none">nlaskp</SPAN>rices<br>
<b>Wind<SPAN STYLE="display:none">etjkm</SPAN>ows XP Professio<SPAN
STYLE="display:none">qhtudkpek</SPAN>nal + Offi<SPAN
STYLE="display:none">fnctpeox</SPAN>ce XP Professi<SPAN
STYLE="display:none">qqko</SPAN>onal </b>for as lo<SPAN
STYLE="display:none">sgfjxpens</SPAN>w as $80<br>
---END QUOTE---
As you can see, the <SPAN>...</SPAN> tags are not displayed by a browser
because of the STYLE="display:none" attribute. They are obviously being used
to obfuscate key spamwords in the message. (Apparently this is the spammers'
latest attempt at circumventing spam filters.) I've created a rule for
recognizing these obfuscating tags:
rawbody USELESS_SPAN /\b\<span\b[^>]*\bstyle=\"[^\"]*display\s*:\s*none[^\"]*
\"[^>]*\>\b/i
describe USELESS_SPAN HTML contains <span style=display:none>
However, it would be nice if SA could actually strip these things away from the
message body, so that the other rules can catch those spammy obfuscated words.
And thanks to all SA developers who made it possible for me to weed out 99% of
the spam I get every day.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
