"David B Funk" dbfunk@engineering.uiowa.edu wrote:
I'm seeing a new spam varient that is clearly designed to get past SURBL. It is an HTML message that contains many (50~100) 'invisible' links; links that have no target text, just: <A href="http://garbage.sitename.tld"></A>
In my spamfilter I check for this pattern and penalise any mail for including <a href=...></a> with no anchor text (you have to be careful with the parsing though, so as not to penalise <a name="URI"></a> which is legit).
Also quite common is to have a single non-alphabetic character as the anchor text, e.g
<a href="URI">'</a> <a href="URI">.</a>
etc.
To add insult to injury, they're tossing in random "\r" (ASCII-CR) characters into the "payload" hostname to try to break spamassasin's URI parsing.
I strip out any CR/LF characters between the opening and closing double quote of a <a href=...> URL.
The next update of jwSpamSpy for Windows will query SURBL, which means it's coming full circle, since it is the tool that actually extracts and provides much of the JP domain data feed of SURBL :-)
Joe Wein