[SURBL-Discuss] RE: Pesky Pron Spam

Chris Santerre csanterre at merchantsoverseas.com
Wed Aug 11 13:24:11 CEST 2004



>-----Original Message-----
>From: Steven Champeon [mailto:schampeo at hesketh.com]
>Sent: Wednesday, August 11, 2004 11:48 AM
>To: 'SURBL Discussion list'
>Subject: Re: [SURBL-Discuss] RE: Pesky Pron Spam
>
>
>on Wed, Aug 11, 2004 at 09:49:39AM -0400, Chris Santerre wrote:
>> Look at these things they have in common. Need to look at 
>rawbody code.
>> 
>> alt=3d
>> =2e(org|gif|htm) #split into 3
>> name=3dgenerator
>> ==.HTM
>> bgColor=3d
>> face=3d
>> src=3d
>> border=3d
>> title=3d
>> face=3d
>> <STYLE></STYLE>
>> 
>> Needs to be one big meta rule 
>
>...that will also catch pretty much every last MSHTML email ever sent.
>That's just base64-encoded HTML, Chris. The empty STYLE element may
>be unique, but I doubt it.
>
>I first successfully quarantined these by searching on 
>
><BIG><STRONG>
>and
><STRONG><BIG>
>
>in the body. That should be sufficient without FPs. But these 
>others are
>common enough that I wouldn't want to risk it, even in a big compound
>rule.
>
>-- 


LOL yeah now that I look at it.......yup. Silly! I should never try to
pattern match without coffee. Of course this was off the top of my head
without any testing. The SARE ninjas would have flogged me good on that one
:)

--Chris 


More information about the Discuss mailing list