Catching Floating DIV spam |
Post Reply 
|
| Author | |
gbrayut 
Newbie 
Joined: 17 May 2006 Location: United States Status: Offline Points: 3 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Catching Floating DIV spamPosted: 15 June 2006 at 3:21pm |
|
I have been having a significant amount of spam in recent weeks that gets past keyword filters by breaking words into sections using floating DIVS. I have been looking for a way to catch them using regex filters, but have not been able to find an expression that works. Does anyone have advice on how to catch these emails?
Message-ID: <000001c69070$936d5270$1867a8c0@esj85> Reply-To: "Socorro Lard" <lardsoco@hamiltonlaw.net> From: "Socorro Lard" <lardsoco@hamiltonlaw.net> To: info@***** Subject: iieir Rfinnance Date: Thu, 15 Jun 2006 04:41:01 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0 001_01C69035.E7133560" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Server: LogSat Software SMTP Server X-SF-RX-Return-Path: <lardsoco@hamiltonlaw.net> X-SF-HELO-Domain: hamiltonlaw.net This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C69035.E7133560 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, =20 Your B d es l t A p vail s ab d le R l at n e - vi a si u t w d eb s i ite <http://koterp.com/n/>=20 =20 $ 2 i 00,00 j 0 fo j r o g nly $82 z 7 mon i th $ 30 f 0,0 h 00 f z or on r ly $89 t 7 m t onth $ 4 c 00,0 s 00 f w or onl w y $95 v 7 mo x nth $ 50 c 0,00 u 0 f s or o r nly $10 f 07 m h onth =20 Ba q d C c re p di s t O t K =20 _____ =20 you at the journeys end! That is the polite thing to say among eagles. May the wind under your wings bear you where the sun sails and the moon walks, answered Gandalf, who knew the correct reply. And so they parted. And though the lord of the eagles became in after days the King ------=_NextPart_000_0001_01C69035.E7133560 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV>Hi,</DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D3>Your B<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> d </FONT>es<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> l </FONT>t A<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> p </FONT>vail<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> s </FONT>ab<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> d </FONT>le R<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> l </FONT>at<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> n </FONT>e - <A = href=3D"http://koterp.com/n/">vi<FONT face=3DArial size=3D2 STYLE=3D" = FLOAT: right "> a </FONT>si<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: = right "> u </FONT>t w<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right = "> d </FONT>eb s<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right "> i = </FONT>ite</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D4>$ 2<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> i </FONT>00,00<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> j </FONT>0 fo<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> j </FONT>r o<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> g </FONT>nly $82<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> z </FONT>7 mon<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> i </FONT>th</FONT></DIV> <DIV><FONT face=3DArial size=3D4>$ 30<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> f </FONT>0,0<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> h </FONT>00 f<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> z </FONT>or on<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> r </FONT>ly $89<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> t </FONT>7 m<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> t </FONT>onth</FONT></DIV> <DIV><FONT face=3DArial size=3D4>$ 4<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> c </FONT>00,0<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> s </FONT>00 f<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> w </FONT>or onl<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> w </FONT>y $95<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> v </FONT>7 mo<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> x </FONT>nth</FONT></DIV> <DIV><FONT face=3DArial size=3D4>$ 50<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> c </FONT>0,00<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> u </FONT>0 f<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> s </FONT>or o<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> r </FONT>nly $10<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> f </FONT>07 m<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> h </FONT>onth</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D4>Ba<FONT face=3DArial size=3D2 STYLE=3D" = FLOAT: right "> q </FONT>d C<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: = right "> c </FONT>re<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right = "> p </FONT>di<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right "> s = </FONT>t O<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right "> t = </FONT>K</DIV> <DIV> </DIV> <HR> <DIV><FONT face=3DArial size=3D2>you at the journeys end! That is the = polite thing to say among eagles.<BR> May the wind under your wings bear you where the sun sails and the = moon<BR> walks, answered Gandalf, who knew the correct reply. And so they<BR> parted. And though the lord of the eagles became in after days the = King<BR></FONT></DIV></BODY></HTM L> ------=_NextPart_000_0001_01C69035.E7133560-- |
|
|
--
Greg Bray IT Manager OQ Measures LLC |
|
 |
|
|
Marcus
Newbie
Joined: 25 July 2005 Location: United States Status: Offline Points: 21 |
Post Options
Thanks(0)
Quote Reply
Posted: 15 June 2006 at 4:39pm |
|
Usually I target the URL in something like you have listed: ite <http://koterp.com/n/>=20 (\bkotery\.com\b) stops anything with a link to that domain |
|
|
|
|
sgeorge
Senior Member 
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 29 June 2006 at 2:20pm |
|
It can be really tough to keep-up on the latest web site they use in this type of spam. Since they send the only email that I ever notice with inline html elements (beside IMG) that have a float property, I made a RegExp. that seems to be very effective at catching this stuff. gbrayut, I sent it to you via PM (I wouldn't want them to get ahead of me again now that I'm catching 'em).
Stephen |
|
|
|
|
mikek
Senior Member
Joined: 22 February 2005 Location: Switzerland Status: Offline Points: 133 |
Post Options
Thanks(0)
Quote Reply
Posted: 30 June 2006 at 2:17am |
|
sgeorge: I'd be happy if you sent me this regex as well! Thanks!
Edited by mikek |
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 July 2006 at 1:40pm |
|
No problem, I sent it over to you. Happy 4th!
 Stephen |
|
|
|
|
Marcus
Newbie
Joined: 25 July 2005 Location: United States Status: Offline Points: 21 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 July 2006 at 3:39pm |
|
sgeorge is correct - it is a constant update procedure to keep up. sgeorge: could I possibly take a peek at your regex? Marcus |
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 July 2006 at 9:40am |
|
Sure thing, I pm'd ya.
Stephen |
|
|
|
|
dcook
Senior Member
Joined: 31 January 2005 Location: United States Status: Offline Points: 174 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 July 2006 at 1:35pm |
|
Thanks for not posting it in the forum -- please send me a copy of your regex
Dwight |
|
|
Dwight
www.vividmix.com |
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 July 2006 at 2:38pm |
|
Hmm, I'm trying to tell if you're being sarcastic there.
 Anywho, I pm'd you the RegEx. (I don't post it publically because I like to avoid the chance that spammers may obtain keywords we use for blocking their messages) Stephen |
|
|
|
|
dcook
Senior Member
Joined: 31 January 2005 Location: United States Status: Offline Points: 174 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 July 2006 at 2:50pm |
|
No I'm serious -- why give the spammers a clue as to how you are looking for their content! Thanks for your code.
|
|
|
Dwight
www.vividmix.com |
|
|
|
|
dcook
Senior Member
Joined: 31 January 2005 Location: United States Status: Offline Points: 174 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 July 2006 at 3:10pm |
|
The code looks good and may be valid. I am afraid that it will generate false positives because css is a valid form of programming.
|
|
|
Dwight
www.vividmix.com |
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 July 2006 at 5:19pm |
|
dcook, without revealing too much about the RegEx code that I sent you...
The "float:right" css rule is a commonly-used statement, but the RegEx that I use avoids the typical uses of "float:right". Agreed, if we were to block all occurences of "float:right", we would end up with an enormous amount of false positives. I can explain what the convoluted RegEx statement does and what it's supposed to do by way of PM, if you'd like. Also, I haven't experienced any false positives with that RegEx yet - but if you do, please let me know. Stephen Edited by sgeorge |
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 12 July 2006 at 11:21am |
|
Just to clarify... unlike what the the title of this forum topic would suggest, what we're trying to block here are not "floating DIVs".
In fact, while the example email source that gbrayut posted does have DIVs in it, none of the DIV elements use/abuse the float property. The trick to isolating this type of spam is to identify when and how the float property is abused - which, in this context, is not with DIVs. Stephen |
|
|
|
|
Alan
Groupie 
Joined: 06 May 2005 Location: United States Status: Offline Points: 43 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 July 2006 at 2:39pm |
|
Hey Sgeorge, I would love to get the code too.
Thanks. |
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 July 2006 at 5:19pm |
|
Absolutely, happy to.
I've had very good success with keyword. After almost a month of using it, I haven't had anyone of my users notify of anything like this getting through. On the false positives side of things, I rigorously check my quarantine, and over the past few weeks we've had 3 false positives. It's not 100% perfect, but it's very close to it - it's a rarity for it to catch something by mistake - but it can happen. Stephen |
|
|
|
|
vrspock
Newbie
Joined: 31 May 2005 Location: United States Status: Offline Points: 16 |
Post Options
Thanks(0)
Quote Reply
Posted: 26 July 2006 at 11:26pm |
|
any chance I could get a copy of this regex as well? Thanks. |
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 27 July 2006 at 10:15am |
|
No problem! Lately, I'm actually seeing 3 general spam techniques for exploiting the float property in CSS. I sent you all 3 corresponding keywords that I use to combat 'em.
Stephen |
|
|
|
|
StevenJohns
Senior Member
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 31 August 2006 at 5:32am |
|
SGeorge, Hello, Is there any chance that I could have a copy of the regex please? I am not using any regex filters at all, and would like to get into it. Can anyone point me in the right direction? How many of you are using regex filters and how many filters are you using? Sorry to ask so many questions, but I want to see if it's worth my time getting to grips with.
Cheers |
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 September 2006 at 2:58pm |
|
Hi StevenJohns, I just sent you the regex that I've been using for these particular techniques. Thanks for being so patient... I've been MIA from the forums for a weeks.
In terms of filters & metrics, I'm a weird example. I use 203 non-RegEx filters; I also use 97 RegEx filters. In all, I would estimate at any given time that I check our quarantine, about 40 of all of these filters has blocked one or more messages in our quarantine. Stephen |
|
|
|
|
StevenJohns
Senior Member
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 September 2006 at 3:04pm |
|
Hi Stephen,
Just got your PM..Thanks.
WOW....how many keyword filters !?!?!
and yes...I would like to have a look at more filters, if you don't mind. I will PM you my email address, just in case it's easier that way.
Cheers |
|
|
|
|
pierfish
Newbie
Joined: 27 September 2006 Status: Offline Points: 1 |
Post Options
Thanks(0)
Quote Reply
Posted: 27 September 2006 at 5:56am |
|
hello can I have a copy of the regex please ?
thanks |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.414 seconds.