Hi Bob
Robert Menschel wrote:
Well this discussion comes just right as I'm developing my own Anti-Coding Rules for some weeks now which all proved quite effective on my small system (with about 300 ham and 300 spam mails a day)Friday, June 4, 2004, 10:36:43 AM, you wrote:
RV> that tiny font stuff is barely catchable :( RV> try to catch this: RV> <font style="font-size:0.01234567890px ...
Thanks for the ideas. While I'm not sure how valid the html/css is, certainly some email clients will display it as the spammer wanted.
Now to see if I can enhance the rule(s -- there are others also) to catch these before the spammers take action on your samples. :-)
Bob Menschel
I started making my own rules as I found the first spam with a 1px font that wasn't caught by the two already present rules
My rule to catch those stuff bases on the idea that I dont try to catch the complete font-size but just as far as I can be sure it HAS to be a tinyfont...
All mentioned examples were caught by my rule which goes as follows:
rawbody MKE_CSS_ZEROSIZE /<[^>]+(=3d|\b)font-size:[\s\"\']*[0]*[0-4][^0-9]/i
describe MKE_CSS_ZEROSIZE A CSS contained font-size:0 up to 4
score MKE_CSS_ZEROSIZE 0.5
Other stuff that is incorporated in this rule:
Almost all others dont catch stuff like: style="color:black; font-size:0px"
That's why I completely ignored any style and just make sure that this font-size HAS to appear inside a tag where I dont see any other possibility than in a style-like block
the other thing is I dont want to use pt, px or whatever... because browsers also accept just a font-size:0 without any other thing. additionally there's more stuff than pt and px !
So I just make sure that the number may be padded with zeros, then has a 0, 1, 2, 3 or 4 and the NEXT char is anything but a number...
That might be a dot, a 'px' - whatever.......
So Bob, I believe you have the possibility to do some masschecking over all my rules (I've got a lot of other CSS and especially HTML tag rules very often seen in spammails) as I'd like to know if they can hit some hams which most of those did not do on my system....
Then I could send you my rules and if they prove to be successful, plese be free to include them in sare_html
I'm very sorry that I didn't see up to right now that sare_coding has been moved to sare_html and I've not yet tested those so there might be a couple of double rules but I'm sure we can sort that out.....
Have a nice day
Matt
