Catching Floating DIV spam |
Post Reply ![]() |
Author | |
gbrayut ![]() Newbie ![]() ![]() Joined: 17 May 2006 Location: United States Status: Offline Points: 3 |
![]() ![]() ![]() ![]() ![]() Posted: 15 June 2006 at 3:21pm |
I have been having a significant amount of spam in recent weeks that gets past keyword filters by breaking words into sections using floating DIVS. I have been looking for a way to catch them using regex filters, but have not been able to find an expression that works. Does anyone have advice on how to catch these emails?
Message-ID: <000001c69070$936d5270$1867a8c0@esj85> Reply-To: "Socorro Lard" <lardsoco@hamiltonlaw.net> From: "Socorro Lard" <lardsoco@hamiltonlaw.net> To: info@***** Subject: iieir Rfinnance Date: Thu, 15 Jun 2006 04:41:01 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0 001_01C69035.E7133560" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Server: LogSat Software SMTP Server X-SF-RX-Return-Path: <lardsoco@hamiltonlaw.net> X-SF-HELO-Domain: hamiltonlaw.net This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C69035.E7133560 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, =20 Your B d es l t A p vail s ab d le R l at n e - vi a si u t w d eb s i ite <http://koterp.com/n/>=20 =20 $ 2 i 00,00 j 0 fo j r o g nly $82 z 7 mon i th $ 30 f 0,0 h 00 f z or on r ly $89 t 7 m t onth $ 4 c 00,0 s 00 f w or onl w y $95 v 7 mo x nth $ 50 c 0,00 u 0 f s or o r nly $10 f 07 m h onth =20 Ba q d C c re p di s t O t K =20 _____ =20 you at the journeys end! That is the polite thing to say among eagles. May the wind under your wings bear you where the sun sails and the moon walks, answered Gandalf, who knew the correct reply. And so they parted. And though the lord of the eagles became in after days the King ------=_NextPart_000_0001_01C69035.E7133560 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV>Hi,</DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D3>Your B<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> d </FONT>es<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> l </FONT>t A<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> p </FONT>vail<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> s </FONT>ab<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> d </FONT>le R<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> l </FONT>at<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> n </FONT>e - <A = href=3D"http://koterp.com/n/">vi<FONT face=3DArial size=3D2 STYLE=3D" = FLOAT: right "> a </FONT>si<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: = right "> u </FONT>t w<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right = "> d </FONT>eb s<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right "> i = </FONT>ite</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D4>$ 2<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> i </FONT>00,00<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> j </FONT>0 fo<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> j </FONT>r o<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> g </FONT>nly $82<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> z </FONT>7 mon<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> i </FONT>th</FONT></DIV> <DIV><FONT face=3DArial size=3D4>$ 30<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> f </FONT>0,0<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> h </FONT>00 f<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> z </FONT>or on<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> r </FONT>ly $89<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> t </FONT>7 m<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> t </FONT>onth</FONT></DIV> <DIV><FONT face=3DArial size=3D4>$ 4<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> c </FONT>00,0<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> s </FONT>00 f<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> w </FONT>or onl<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> w </FONT>y $95<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> v </FONT>7 mo<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> x </FONT>nth</FONT></DIV> <DIV><FONT face=3DArial size=3D4>$ 50<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> c </FONT>0,00<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> u </FONT>0 f<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> s </FONT>or o<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> r </FONT>nly $10<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> f </FONT>07 m<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> h </FONT>onth</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D4>Ba<FONT face=3DArial size=3D2 STYLE=3D" = FLOAT: right "> q </FONT>d C<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: = right "> c </FONT>re<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right = "> p </FONT>di<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right "> s = </FONT>t O<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right "> t = </FONT>K</DIV> <DIV> </DIV> <HR> <DIV><FONT face=3DArial size=3D2>you at the journeys end! That is the = polite thing to say among eagles.<BR> May the wind under your wings bear you where the sun sails and the = moon<BR> walks, answered Gandalf, who knew the correct reply. And so they<BR> parted. And though the lord of the eagles became in after days the = King<BR></FONT></DIV></BODY></HTM L> ------=_NextPart_000_0001_01C69035.E7133560-- |
|
--
Greg Bray IT Manager OQ Measures LLC |
|
![]() |
|
Marcus ![]() Newbie ![]() Joined: 25 July 2005 Location: United States Status: Offline Points: 21 |
![]() ![]() ![]() ![]() ![]() |
Usually I target the URL in something like you have listed: ite <http://koterp.com/n/>=20 (\bkotery\.com\b) stops anything with a link to that domain |
|
![]() |
|
sgeorge ![]() Senior Member ![]() Joined: 23 August 2005 Status: Offline Points: 178 |
![]() ![]() ![]() ![]() ![]() |
It can be really tough to keep-up on the latest web site they use in this type of spam. Since they send the only email that I ever notice with inline html elements (beside IMG) that have a float property, I made a RegExp. that seems to be very effective at catching this stuff. gbrayut, I sent it to you via PM (I wouldn't want them to get ahead of me again now that I'm catching 'em).
Stephen |
|
![]() |
|
mikek ![]() Senior Member ![]() ![]() Joined: 22 February 2005 Location: Switzerland Status: Offline Points: 133 |
![]() ![]() ![]() ![]() ![]() |
sgeorge: I'd be happy if you sent me this regex as well! Thanks!
Edited by mikek |
|
![]() |
|
sgeorge ![]() Senior Member ![]() Joined: 23 August 2005 Status: Offline Points: 178 |
![]() ![]() ![]() ![]() ![]() |
No problem, I sent it over to you. Happy 4th!
![]() Stephen |
|
![]() |
|
Marcus ![]() Newbie ![]() Joined: 25 July 2005 Location: United States Status: Offline Points: 21 |
![]() ![]() ![]() ![]() ![]() |
sgeorge is correct - it is a constant update procedure to keep up. sgeorge: could I possibly take a peek at your regex? Marcus |
|
![]() |
|
sgeorge ![]() Senior Member ![]() Joined: 23 August 2005 Status: Offline Points: 178 |
![]() ![]() ![]() ![]() ![]() |
Sure thing, I pm'd ya.
Stephen |
|
![]() |
|
dcook ![]() Senior Member ![]() ![]() Joined: 31 January 2005 Location: United States Status: Offline Points: 174 |
![]() ![]() ![]() ![]() ![]() |
Thanks for not posting it in the forum -- please send me a copy of your regex
Dwight |
|
Dwight
www.vividmix.com |
|
![]() |
|
sgeorge ![]() Senior Member ![]() Joined: 23 August 2005 Status: Offline Points: 178 |
![]() ![]() ![]() ![]() ![]() |
Hmm, I'm trying to tell if you're being sarcastic there.
![]() Anywho, I pm'd you the RegEx. (I don't post it publically because I like to avoid the chance that spammers may obtain keywords we use for blocking their messages) Stephen |
|
![]() |
|
dcook ![]() Senior Member ![]() ![]() Joined: 31 January 2005 Location: United States Status: Offline Points: 174 |
![]() ![]() ![]() ![]() ![]() |
No I'm serious -- why give the spammers a clue as to how you are looking for their content! Thanks for your code.
|
|
Dwight
www.vividmix.com |
|
![]() |
|
dcook ![]() Senior Member ![]() ![]() Joined: 31 January 2005 Location: United States Status: Offline Points: 174 |
![]() ![]() ![]() ![]() ![]() |
The code looks good and may be valid. I am afraid that it will generate false positives because css is a valid form of programming.
|
|
Dwight
www.vividmix.com |
|
![]() |
|
sgeorge ![]() Senior Member ![]() Joined: 23 August 2005 Status: Offline Points: 178 |
![]() ![]() ![]() ![]() ![]() |
dcook, without revealing too much about the RegEx code that I sent you...
The "float:right" css rule is a commonly-used statement, but the RegEx that I use avoids the typical uses of "float:right". Agreed, if we were to block all occurences of "float:right", we would end up with an enormous amount of false positives. I can explain what the convoluted RegEx statement does and what it's supposed to do by way of PM, if you'd like. Also, I haven't experienced any false positives with that RegEx yet - but if you do, please let me know. Stephen Edited by sgeorge |
|
![]() |
|
sgeorge ![]() Senior Member ![]() Joined: 23 August 2005 Status: Offline Points: 178 |
![]() ![]() ![]() ![]() ![]() |
Just to clarify... unlike what the the title of this forum topic would suggest, what we're trying to block here are not "floating DIVs".
In fact, while the example email source that gbrayut posted does have DIVs in it, none of the DIV elements use/abuse the float property. The trick to isolating this type of spam is to identify when and how the float property is abused - which, in this context, is not with DIVs. Stephen |
|
![]() |
|
Alan ![]() Groupie ![]() Joined: 06 May 2005 Location: United States Status: Offline Points: 43 |
![]() ![]() ![]() ![]() ![]() |
Hey Sgeorge, I would love to get the code too.
Thanks. |
|
![]() |
|
sgeorge ![]() Senior Member ![]() Joined: 23 August 2005 Status: Offline Points: 178 |
![]() ![]() ![]() ![]() ![]() |
Absolutely, happy to.
I've had very good success with keyword. After almost a month of using it, I haven't had anyone of my users notify of anything like this getting through. On the false positives side of things, I rigorously check my quarantine, and over the past few weeks we've had 3 false positives. It's not 100% perfect, but it's very close to it - it's a rarity for it to catch something by mistake - but it can happen. Stephen |
|
![]() |
|
vrspock ![]() Newbie ![]() ![]() Joined: 31 May 2005 Location: United States Status: Offline Points: 16 |
![]() ![]() ![]() ![]() ![]() |
any chance I could get a copy of this regex as well? Thanks. |
|
![]() |
|
sgeorge ![]() Senior Member ![]() Joined: 23 August 2005 Status: Offline Points: 178 |
![]() ![]() ![]() ![]() ![]() |
No problem! Lately, I'm actually seeing 3 general spam techniques for exploiting the float property in CSS. I sent you all 3 corresponding keywords that I use to combat 'em.
Stephen |
|
![]() |
|
StevenJohns ![]() Senior Member ![]() Joined: 03 August 2006 Status: Offline Points: 119 |
![]() ![]() ![]() ![]() ![]() |
SGeorge, Hello, Is there any chance that I could have a copy of the regex please? I am not using any regex filters at all, and would like to get into it. Can anyone point me in the right direction? How many of you are using regex filters and how many filters are you using? Sorry to ask so many questions, but I want to see if it's worth my time getting to grips with.
Cheers |
|
![]() |
|
sgeorge ![]() Senior Member ![]() Joined: 23 August 2005 Status: Offline Points: 178 |
![]() ![]() ![]() ![]() ![]() |
Hi StevenJohns, I just sent you the regex that I've been using for these particular techniques. Thanks for being so patient... I've been MIA from the forums for a weeks.
In terms of filters & metrics, I'm a weird example. I use 203 non-RegEx filters; I also use 97 RegEx filters. In all, I would estimate at any given time that I check our quarantine, about 40 of all of these filters has blocked one or more messages in our quarantine. Stephen |
|
![]() |
|
StevenJohns ![]() Senior Member ![]() Joined: 03 August 2006 Status: Offline Points: 119 |
![]() ![]() ![]() ![]() ![]() |
Hi Stephen,
Just got your PM..Thanks.
WOW....how many keyword filters !?!?!
and yes...I would like to have a look at more filters, if you don't mind. I will PM you my email address, just in case it's easier that way.
Cheers |
|
![]() |
|
pierfish ![]() Newbie ![]() Joined: 27 September 2006 Status: Offline Points: 1 |
![]() ![]() ![]() ![]() ![]() |
hello can I have a copy of the regex please ?
thanks |
|
![]() |
Post Reply ![]() |
|
Tweet
|
Forum Jump | Forum Permissions ![]() You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.195 seconds.