John Hardin <jhar...@impsec.org> wrote on 01/29/2014 12:34:29 PM:
> From: John Hardin <jhar...@impsec.org>
> To: users@spamassassin.apache.org,
> Date: 01/29/2014 12:35 PM
> Subject: Re: Help with a regex to catch spam with gibberish html tags
>
> On Wed, 29 Jan 2014, Joe Quinn wrote:
>
> > On 1/29/2014 11:53 AM, Andy Jezierski wrote:
> >> I've been noticing a lot of spam getting through with the same
traits, a
> >> bunch of random words within brackets. They all seem to come after
the
> >> </body> or the </html> tag. Anyone much more knowledgeable than me
care
> >> to assist with a rule to detect them?
> >>
> >> Example:
> >>
> >> </html>
> >>
> >> </body>
> >> <style>
> >> <geehrter>
> >> <convaincre>
> >> <eingerichtet>
> >> <piuttosto>
> >> <meny>
>
> ...etc snipped.
>
> > I've been seeing that as well. They seem to all begin with <style>as
well,
> > to keep that crap from going through mail client HTML parsers.
> >
> > You can probably exploit the fact that nobody is ever going to
> write a style
> > block that doesn't match /[{}]/, but I haven't been able to experiment
yet
> > with any rules.
>
> There is already a style gibberish rule.
>
>
http://ruleqa.spamassassin.org/20140128-r1562007-n/STYLE_GIBBERISH/detail
>
I've seen the STYLE_GIBBERISH rule hit on a number of messages, but never
on this type of spam.
