Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Valid HTML Tag
  FAQ FAQ  Forum Search   Register Register  Login Login

Valid HTML Tag

 Post Reply Post Reply
Author
regex View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote regex Quote  Post ReplyReply Direct Link To This Post Topic: Valid HTML Tag
    Posted: 22 July 2003 at 6:19pm

I've found a few slipped in spams with the keywords "viagra". After looking at the source, the following line:

VIA<!-- whcemhsbjg -->GRA

This html line displays VIAGRA in the message body.

I have the RegEx line in blocked keywords list which is (<[!--]+[a-zA-Z0-9]{11,})

What should I do to block the future spam containing the such html lines?

Thanks

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 23 July 2003 at 1:31am

(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])

Blocks that one.  I use the following conbination to try to "nail" most of that type of garbage:

((http|3dhttp)://.{0,15}(%|@|:)[(\d|\w)])
((href="http|src=3d"http|href=3d"http)://+[\d])
(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])
(<[!--]+[a-zA-Z0-9]{2}(-->))
((<font color="(#ffffff|ffffff)".*){3,20})
(http://http:/\w)
(\b(content\-type:\x20text/(html|plain)\r\ncontent-transfer\-encoding:\x20base64\r\n))

WARNING! Watch for a future post. I created a SERIOUS problem with a variation of the ((<font color="(#ffffff|ffffff)".*){3,20})  expression. 

LogSat Support is working on trying to figure out what I did wrong.  However, I am using the above expressions without any issues (after removing my "improvement"!).

Regards,

Dan S.

Back to Top
Danny View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Danny Quote  Post ReplyReply Direct Link To This Post Posted: 23 July 2003 at 11:09am

Hi, thank you so much for your reply. Used your code and so far worked great. I'm now looking back at your code trying to figure out what exactly they mean (learned Perl from at my school).

By the way, I just found a slipped in spam containing source similar to the following:

<!w>VI<!e><!r>A<!c>G<!d>RA<!r>

So I appended one more entry to your list which is:

((<![a-zA-Z0-9]{1}>)+)

Any comments?

Thanks again,

Danny

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 23 July 2003 at 11:35am

Danny,

I will evaluate it after I fully wake up.  Are you seeing any false positives?

Dan S.

Back to Top
Danny View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Danny Quote  Post ReplyReply Direct Link To This Post Posted: 23 July 2003 at 1:42pm

Hi Dan, not so far yet, everything seems working fine.

Here is another challenge, just found another slipped in spam:

<a href="http://GDJQPHHXHBBDMJBWHYETHJERE@www.anwcream.com/unsubscribe.html">

What I did is changed a little to the following expression:

((http|3dhttp)://.{0,26}(%|@|:)[(\d|\w)])

Please note I used 26 instead of 15. Hope this won't generate tons of complaint from my users :)

Danny

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 24 July 2003 at 12:22am

Danny,

I have change to 26 in one of my servers and left the 15 in another server.  I will grab the stats after 24 hours and try to check for false positives.  I have to make a judgement call on what is false ... One persons Spam is another persons reading material!

Dan

 

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.094 seconds.