On Sat, 26 Jan 2019, John Hardin wrote:
On Sat, 26 Jan 2019, Mark London wrote:
Does anyone have any rules that can catch this type of obfuscated spam?
https://pastebin.com/qi8dsREW
There's some "invisible font" subrules in my sandbox that this hits
(__STY_INVIS_MANY, __FONT_INVIS_MANY) but scored versions aren't currently
exposed. I think when I was testing them I was amazed by the poor S/O - why
would legitimate emails include invisible text?
It may be that there is something they can be combined with to catch this.
I'll take a look at the masscheck results soon and see if anything suggests
itself.
Invisible styles seem to be really popular in ham for some reason. I've
added a meta with some no-ham hits, we'll see how it does.
Explicit multiple invisible fonts, on the other hand, are very rare in the
masscheck corpus, and are only spam. I've put this into my sandbox for
evaluation:
meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY
...but there may not be enough total corpus hits for masscheck to feel
worthy of publishing it, so you might want to make that a local rule with
whatever score you feel is appropriate.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...every time I sit down in front of a Windows machine I feel as
if the computer is just a place for the manufacturers to put their
advertising. -- fwadling on Y! SCOX
-----------------------------------------------------------------------
Today: Wolfgang Amadeus Mozart's 263rd Birthday
