Catching Floating DIV spam
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5668
Printed Date: 05 February 2025 at 5:00pm
Topic: Catching Floating DIV spam
Posted By: gbrayut
Subject: Catching Floating DIV spam
Date Posted: 15 June 2006 at 3:21pm
|
I have been having a significant amount of spam in recent weeks that gets past keyword filters by breaking words into sections using floating DIVS. I have been looking for a way to catch them using regex filters, but have not been able to find an expression that works. Does anyone have advice on how to catch these emails?
Message-ID: <000001c69070$936d5270$1867a8c0@esj85> Reply-To: "Socorro Lard" <lardsoco@hamiltonlaw.net> From: "Socorro Lard" <lardsoco@hamiltonlaw.net> To: info@***** Subject: iieir Rfinnance Date: Thu, 15 Jun 2006 04:41:01 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0 001_01C69035.E7133560" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Server: LogSat Software SMTP Server X-SF-RX-Return-Path: <lardsoco@hamiltonlaw.net> X-SF-HELO-Domain: hamiltonlaw.net This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C69035.E7133560 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, =20 Your B d es l t A p vail s ab d le R l at n e - vi a si u t w d eb s i ite <http://koterp.com/n/>=20 =20 $ 2 i 00,00 j 0 fo j r o g nly $82 z 7 mon i th $ 30 f 0,0 h 00 f z or on r ly $89 t 7 m t onth $ 4 c 00,0 s 00 f w or onl w y $95 v 7 mo x nth $ 50 c 0,00 u 0 f s or o r nly $10 f 07 m h onth =20 Ba q d C c re p di s t O t K =20 _____ =20 you at the journeys end! That is the polite thing to say among eagles. May the wind under your wings bear you where the sun sails and the moon walks, answered Gandalf, who knew the correct reply. And so they parted. And though the lord of the eagles became in after days the King ------=_NextPart_000_0001_01C69035.E7133560 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV>Hi,</DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D3>Your B<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> d </FONT>es<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> l </FONT>t A<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> p </FONT>vail<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> s </FONT>ab<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> d </FONT>le R<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> l </FONT>at<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> n </FONT>e - <A = href=3D"http://koterp.com/n/">vi<FONT face=3DArial size=3D2 STYLE=3D" = FLOAT: right "> a </FONT>si<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: = right "> u </FONT>t w<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right = "> d </FONT>eb s<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right "> i = </FONT>ite</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D4>$ 2<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> i </FONT>00,00<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> j </FONT>0 fo<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> j </FONT>r o<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> g </FONT>nly $82<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> z </FONT>7 mon<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> i </FONT>th</FONT></DIV> <DIV><FONT face=3DArial size=3D4>$ 30<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> f </FONT>0,0<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> h </FONT>00 f<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> z </FONT>or on<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> r </FONT>ly $89<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> t </FONT>7 m<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> t </FONT>onth</FONT></DIV> <DIV><FONT face=3DArial size=3D4>$ 4<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> c </FONT>00,0<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> s </FONT>00 f<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> w </FONT>or onl<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> w </FONT>y $95<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> v </FONT>7 mo<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> x </FONT>nth</FONT></DIV> <DIV><FONT face=3DArial size=3D4>$ 50<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> c </FONT>0,00<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> u </FONT>0 f<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> s </FONT>or o<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> r </FONT>nly $10<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> f </FONT>07 m<FONT face=3DArial size=3D2 = STYLE=3D" FLOAT: right "> h </FONT>onth</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D4>Ba<FONT face=3DArial size=3D2 STYLE=3D" = FLOAT: right "> q </FONT>d C<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: = right "> c </FONT>re<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right = "> p </FONT>di<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right "> s = </FONT>t O<FONT face=3DArial size=3D2 STYLE=3D" FLOAT: right "> t = </FONT>K</DIV> <DIV> </DIV> <HR> <DIV><FONT face=3DArial size=3D2>you at the journeys end! That is the = polite thing to say among eagles.<BR> May the wind under your wings bear you where the sun sails and the = moon<BR> walks, answered Gandalf, who knew the correct reply. And so they<BR> parted. And though the lord of the eagles became in after days the = King<BR></FONT></DIV></BODY></HTM L> ------=_NextPart_000_0001_01C69035.E7133560-- ------------- -- Greg Bray IT Manager OQ Measures LLC |
Replies:
Posted By: Marcus
Date Posted: 15 June 2006 at 4:39pm
|
Usually I target the URL in something like you have listed: ite <http://koterp.com/n/>=20 (\bkotery\.com\b) stops anything with a link to that domain |
Posted By: sgeorge
Date Posted: 29 June 2006 at 2:20pm
|
It can be really tough to keep-up on the latest web site they use in this type of spam. Since they send the only email that I ever notice with inline html elements (beside IMG) that have a float property, I made a RegExp. that seems to be very effective at catching this stuff. gbrayut, I sent it to you via PM (I wouldn't want them to get ahead of me again now that I'm catching 'em). Stephen |
Posted By: mikek
Date Posted: 30 June 2006 at 2:17am
|
sgeorge: I'd be happy if you sent me this regex as well! Thanks! |
Posted By: sgeorge
Date Posted: 04 July 2006 at 1:40pm
No problem, I sent it over to you. Happy 4th! Stephen |
Posted By: Marcus
Date Posted: 06 July 2006 at 3:39pm
|
sgeorge is correct - it is a constant update procedure to keep up. sgeorge: could I possibly take a peek at your regex? Marcus |
Posted By: sgeorge
Date Posted: 10 July 2006 at 9:40am
|
Sure thing, I pm'd ya. Stephen |
Posted By: dcook
Date Posted: 10 July 2006 at 1:35pm
|
Thanks for not posting it in the forum -- please send me a copy of your regex Dwight ------------- Dwight www.vividmix.com |
Posted By: sgeorge
Date Posted: 10 July 2006 at 2:38pm
Hmm, I'm trying to tell if you're being sarcastic there.  Anywho, I pm'd you the RegEx. (I don't post it publically because I like to avoid the chance that spammers may obtain keywords we use for blocking their messages) Stephen |
Posted By: dcook
Date Posted: 10 July 2006 at 2:50pm
|
No I'm serious -- why give the spammers a clue as to how you are looking for their content! Thanks for your code.
------------- Dwight www.vividmix.com |
Posted By: dcook
Date Posted: 10 July 2006 at 3:10pm
The code looks good and may be valid. I am afraid that it will generate false positives because css is a valid form of programming.
------------- Dwight www.vividmix.com |
Posted By: sgeorge
Date Posted: 10 July 2006 at 5:19pm
|
dcook, without revealing too much about the RegEx code that I sent you... The "float:right" css rule is a commonly-used statement, but the RegEx that I use avoids the typical uses of "float:right". Agreed, if we were to block all occurences of "float:right", we would end up with an enormous amount of false positives. I can explain what the convoluted RegEx statement does and what it's supposed to do by way of PM, if you'd like. Also, I haven't experienced any false positives with that RegEx yet - but if you do, please let me know. Stephen |
Posted By: sgeorge
Date Posted: 12 July 2006 at 11:21am
|
Just to clarify... unlike what the the title of this forum topic would suggest, what we're trying to block here are not "floating DIVs". In fact, while the example email source that gbrayut posted does have DIVs in it, none of the DIV elements use/abuse the float property. The trick to isolating this type of spam is to identify when and how the float property is abused - which, in this context, is not with DIVs. Stephen |
Posted By: Alan
Date Posted: 19 July 2006 at 2:39pm
|
Hey Sgeorge, I would love to get the code too. Thanks. |
Posted By: sgeorge
Date Posted: 19 July 2006 at 5:19pm
|
Absolutely, happy to. I've had very good success with keyword. After almost a month of using it, I haven't had anyone of my users notify of anything like this getting through. On the false positives side of things, I rigorously check my quarantine, and over the past few weeks we've had 3 false positives. It's not 100% perfect, but it's very close to it - it's a rarity for it to catch something by mistake - but it can happen. Stephen |
Posted By: vrspock
Date Posted: 26 July 2006 at 11:26pm
|
any chance I could get a copy of this regex as well? Thanks. |
Posted By: sgeorge
Date Posted: 27 July 2006 at 10:15am
|
No problem! Lately, I'm actually seeing 3 general spam techniques for exploiting the float property in CSS. I sent you all 3 corresponding keywords that I use to combat 'em. Stephen |
Posted By: StevenJohns
Date Posted: 31 August 2006 at 5:32am
|
SGeorge, Hello, Is there any chance that I could have a copy of the regex please? I am not using any regex filters at all, and would like to get into it. Can anyone point me in the right direction? How many of you are using regex filters and how many filters are you using? Sorry to ask so many questions, but I want to see if it's worth my time getting to grips with.
Cheers |
Posted By: sgeorge
Date Posted: 19 September 2006 at 2:58pm
|
Hi StevenJohns, I just sent you the regex that I've been using for these particular techniques. Thanks for being so patient... I've been MIA from the forums for a weeks. In terms of filters & metrics, I'm a weird example. I use 203 non-RegEx filters; I also use 97 RegEx filters. In all, I would estimate at any given time that I check our quarantine, about 40 of all of these filters has blocked one or more messages in our quarantine. Stephen |
Posted By: StevenJohns
Date Posted: 19 September 2006 at 3:04pm
|
Hi Stephen,
Just got your PM..Thanks.
WOW....how many keyword filters !?!?!
and yes...I would like to have a look at more filters, if you don't mind. I will PM you my email address, just in case it's easier that way.
Cheers |
Posted By: pierfish
Date Posted: 27 September 2006 at 5:56am
|
hello can I have a copy of the regex please ?
thanks |