Re: Hidden text.

Sat, 16 Aug 2025 13:03:48 -0700 


Dear All,

Interesting. I never saw this, maybe because I didn't look close enough.

But stupid question: Why does it make sense for spammers or in general 
for newsletters to add hidden text ?


// Hans

--


On 16.08.25 16:41, Alan via users wrote:



On 2025-08-16 05:12, giova...@paclan.it wrote:

On 8/14/25 12:06 PM, Mark London wrote:

Hi - These days, how often do spammers at additional random hidden 
text?   For example, I found a ton of extra text at the bottom of an 
email, that was hidden by the following HTML:



<div style="font-family:Cambria, 'Hoefler Text', 'Liberation Serif', 
Times, 'Times New Roman', serif; width:1px; line-height:0; 
overflow:hidden">



Is this a common enough spammer technique, for me to write a rule to 
test for it?  Thanks! - Mark

I tried to write something similar in the past 
(https://github.com/apache/spamassassin/blob/trunk/rulesrc/sandbox/gbechis/20_html.cf) 
but I disabled them

since they hit lot of commercial newsletters as well.

We can write a rule and I can add it to my sandbox for testing, could 
you share (privately if you prefer) a spam email using this technique ?

 Thanks
  Giovanni


I have a rule that looks for much text with no height:

full        __AB_LINEZERO /line-height?:\s*[0][^0-9.])[^<]{1000,}</i

And another that looks for a lot of small font text:


full        __AB_SMALLFONT 
/font(-size)?:\s*[0-8](\.[0-9]*)?px[^<]{1000,}</i



Usually this is an attempt to get around Bayesian classification, so I 
also have these:


full        __AB_BAYES_BUSTING_DIV /<div.{10000,}?<\/div>/
full        __AB_BAYES_BUSTING_P /<p.{10000,}?<\/p>/


I use these as meta rules, so for example if the message also comes 
from a domain commonly used for spam (one of the KAM rules), I'll bump 
the score by a bit (maybe 0.2 to 0.5) for each.



In my experience no one indicator is reliable (except in the most 
insidious cases which get scores like 20.0). Spam usually triggers 
several other rules, which pushes the overall score over 5, which is 
where I have the flag threshold set, and sometimes over 10 where they 
get sent to write-only memory.


--
For SpamAssassin Users List






















					Reply via email to