From schampeo@hesketh.com Wed Aug 11 17:48:34 2004
From: Steven Champeon <schampeo@hesketh.com>
To: discuss@lists.surbl.org
Subject: Re: [SURBL-Discuss] RE: Pesky Pron Spam
Date: Wed, 11 Aug 2004 11:47:55 -0400
Message-ID: <20040811154755.GI27855@hesketh.com>
In-Reply-To:
 <620A4FF9B83DD511B69900062939D037ABFF3A@internal.merchantsoverseas.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4315211480611283328=="

--===============4315211480611283328==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

on Wed, Aug 11, 2004 at 09:49:39AM -0400, Chris Santerre wrote:
> Look at these things they have in common. Need to look at rawbody code.
> 
> alt=3d
> =2e(org|gif|htm) #split into 3
> name=3dgenerator
> ==.HTM
> bgColor=3d
> face=3d
> src=3d
> border=3d
> title=3d
> face=3d
> <STYLE></STYLE>
> 
> Needs to be one big meta rule 

...that will also catch pretty much every last MSHTML email ever sent.
That's just base64-encoded HTML, Chris. The empty STYLE element may
be unique, but I doubt it.

I first successfully quarantined these by searching on 

<BIG><STRONG>
and
<STRONG><BIG>

in the body. That should be sufficient without FPs. But these others are
common enough that I wouldn't want to risk it, even in a big compound
rule.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today!
http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/

--===============4315211480611283328==--