John Wilcock wrote:
Brian Ipsen wrote:
Recently I've noticed at lot of spammer emails in html format containg
entries like:
<SPAN style="DISPLAY: none"> perfume </SPAN>
The text/word in the SPAN tags is random.... Has anyone implemented a
rule
to assign a high score for messages, which matches this pattern (with the
"display: none" style) ??
I use the following rule which seems to work well:
full local_DISPLAY_NONE /\bdisplay\s?:\s?none\b/i
describe local_DISPLAY_NONE Style with "display: none" CSS attribute
score local_DISPLAY_NONE 2.0
FWIW, I'd really suggest using rawbody instead of full for this rule. Anything
that's base64 encoded will evade the full rule, but not the rawbody rule. Also
the full rule will check lots of parts of the message you don't care about
(headers, binary mime segments, etc).
In general I'd not use full at all unless you're really sure that's what you
need.
Quick suggestions on choice of rule type:
body - contains text mime segments (plain and html) and subject text with html
tags removed, end-of-lines removed, QP/base64 decoded. Best choice for most
rules that want to examine the body text.
rawbody - QP/base64 decoded text (plain and html) mime segments. html tags/EOL's
are left in place. This choice is best for checking HTML tags or looking for
line-wrap based obfuscations.
full - entire message, with all headers, all mime segments, and no decoding.
Just raw, as it was on the wire. Best reserved for mime encoding checks, base64
encoding checks, and other checks of the raw encoding format. This rule type is
also generally slowest to execute as it examines the most text.
header RULE_NAME ALL ~=//. Checks all header lines. Best for checking if a
string exists in any of the headers without checking the body text.
header RULE_NAME HeaderName:raw ~=//. (3.0.0 or higher) Checks header without
any QP or base64 decoding. Best for looking for illegal unencoded characters in
headers.
