From csanterre@merchantsoverseas.com Wed Aug 11 18:23:11 2004
From: Chris Santerre <csanterre@merchantsoverseas.com>
To: discuss@lists.surbl.org
Subject: RE: [SURBL-Discuss] RE: Pesky Pron Spam
Date: Wed, 11 Aug 2004 12:24:11 -0400
Message-ID:
 <620A4FF9B83DD511B69900062939D037ABFF46@internal.merchantsoverseas.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3279719809330322763=="

--===============3279719809330322763==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit



>-----Original Message-----
>From: Steven Champeon [mailto:schampeo(a)hesketh.com]
>Sent: Wednesday, August 11, 2004 11:48 AM
>To: 'SURBL Discussion list'
>Subject: Re: [SURBL-Discuss] RE: Pesky Pron Spam
>
>
>on Wed, Aug 11, 2004 at 09:49:39AM -0400, Chris Santerre wrote:
>> Look at these things they have in common. Need to look at 
>rawbody code.
>> 
>> alt=3d
>> =2e(org|gif|htm) #split into 3
>> name=3dgenerator
>> ==.HTM
>> bgColor=3d
>> face=3d
>> src=3d
>> border=3d
>> title=3d
>> face=3d
>> <STYLE></STYLE>
>> 
>> Needs to be one big meta rule 
>
>...that will also catch pretty much every last MSHTML email ever sent.
>That's just base64-encoded HTML, Chris. The empty STYLE element may
>be unique, but I doubt it.
>
>I first successfully quarantined these by searching on 
>
><BIG><STRONG>
>and
><STRONG><BIG>
>
>in the body. That should be sufficient without FPs. But these 
>others are
>common enough that I wouldn't want to risk it, even in a big compound
>rule.
>
>-- 


LOL yeah now that I look at it.......yup. Silly! I should never try to
pattern match without coffee. Of course this was off the top of my head
without any testing. The SARE ninjas would have flogged me good on that one
:)

--Chris 

--===============3279719809330322763==--