On 2025-08-16 05:12, giova...@paclan.it wrote:
On 8/14/25 12:06 PM, Mark London wrote:
Hi - These days, how often do spammers at additional random hidden
text? For example, I found a ton of extra text at the bottom of an
email, that was hidden by the following HTML:
<div style="font-family:Cambria, 'Hoefler Text', 'Liberation Serif',
Times, 'Times New Roman', serif; width:1px; line-height:0;
overflow:hidden">
Is this a common enough spammer technique, for me to write a rule to
test for it? Thanks! - Mark
I tried to write something similar in the past
(https://github.com/apache/spamassassin/blob/trunk/rulesrc/sandbox/gbechis/20_html.cf)
but I disabled them
since they hit lot of commercial newsletters as well.
We can write a rule and I can add it to my sandbox for testing, could
you share (privately if you prefer) a spam email using this technique ?
Thanks
Giovanni
I have a rule that looks for much text with no height:
full __AB_LINEZERO /line-height?:\s*[0][^0-9.])[^<]{1000,}</i
And another that looks for a lot of small font text:
full __AB_SMALLFONT /font(-size)?:\s*[0-8](\.[0-9]*)?px[^<]{1000,}</i
Usually this is an attempt to get around Bayesian classification, so I
also have these:
full __AB_BAYES_BUSTING_DIV /<div.{10000,}?<\/div>/
full __AB_BAYES_BUSTING_P /<p.{10000,}?<\/p>/
I use these as meta rules, so for example if the message also comes from
a domain commonly used for spam (one of the KAM rules), I'll bump the
score by a bit (maybe 0.2 to 0.5) for each.
In my experience no one indicator is reliable (except in the most
insidious cases which get scores like 20.0). Spam usually triggers
several other rules, which pushes the overall score over 5, which is
where I have the flag threshold set, and sometimes over 10 where they
get sent to write-only memory.
--
For SpamAssassin Users List
