Print Page | Close Window

Valid HTML Tag

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=1447
Printed Date: 14 March 2025 at 6:54am


Topic: Valid HTML Tag
Posted By: Guests
Subject: Valid HTML Tag
Date Posted: 22 July 2003 at 6:19pm

I've found a few slipped in spams with the keywords "viagra". After looking at the source, the following line:

VIA<!-- whcemhsbjg -->GRA

This html line displays VIAGRA in the message body.

I have the RegEx line in blocked keywords list which is (<[!--]+[a-zA-Z0-9]{11,})

What should I do to block the future spam containing the such html lines?

Thanks


Replies:
Posted By: Desperado
Date Posted: 23 July 2003 at 1:31am

(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])

Blocks that one.  I use the following conbination to try to "nail" most of that type of garbage:

((http|3dhttp)://.{0,15}( mailto:%|@|:)[(\d|\w" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - %|@|:)[(\d|\w )])
((href="http|src=3d"http|href=3d"http)://+[\d])
(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])
(<[!--]+[a-zA-Z0-9]{2}(-->))
((<font color="(#ffffff|ffffff)".*){3,20})
( http://http:/" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://http:/ \w)
(\b(content\-type:\x20text/(html|plain)\r\ncontent-transfer\-encoding:\x20base64\r\n))

WARNING! Watch for a future post. I created a SERIOUS problem with a variation of the ((<font color="(#ffffff|ffffff)".*){3,20})  expression. 

LogSat Support is working on trying to figure out what I did wrong.  However, I am using the above expressions without any issues (after removing my "improvement"!).

Regards,

Dan S.

Posted By: Guests
Date Posted: 23 July 2003 at 11:09am

Hi, thank you so much for your reply. Used your code and so far worked great. I'm now looking back at your code trying to figure out what exactly they mean (learned Perl from at my school).

By the way, I just found a slipped in spam containing source similar to the following:

<!w>VI<!e><!r>A<!c>G<!d>RA<!r>

So I appended one more entry to your list which is:

((<![a-zA-Z0-9]{1}>)+)

Any comments?

Thanks again,

Danny

Posted By: Desperado
Date Posted: 23 July 2003 at 11:35am

Danny,

I will evaluate it after I fully wake up.  Are you seeing any false positives?

Dan S.

Posted By: Guests
Date Posted: 23 July 2003 at 1:42pm

Hi Dan, not so far yet, everything seems working fine.

Here is another challenge, just found another slipped in spam:

<a href=" http://GDJQPHHXHBBDMJBWHYETHJERE@www.anwcream.com/unsubscribe.html" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://GDJQPHHXHBBDMJBWHYETHJERE@www.anwcream.com/unsubscribe.html" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://GDJQPHHXHBBDMJBWHYETHJERE@www.anwcream.com/unsubscribe.html ">

What I did is changed a little to the following expression:

((http|3dhttp)://.{0,26}( mailto:%|@|:)[(\d|\w" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - %|@|:)[(\d|\w )])

Please note I used 26 instead of 15. Hope this won't generate tons of complaint from my users :)

Danny

Posted By: Desperado
Date Posted: 24 July 2003 at 12:22am

Danny,

I have change to 26 in one of my servers and left the 15 in another server.  I will grab the stats after 24 hours and try to check for false positives.  I have to make a judgement call on what is false ... One persons Spam is another persons reading material!

Dan

 


Print Page | Close Window