Bug 1934 - Catch repeated obfuscating comments
Summary: Catch repeated obfuscating comments
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.54
Hardware: Other other
: P5 enhancement
Target Milestone: Future
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard: needs code
Keywords:
Depends on:
Blocks:
 
Reported: 2003-05-20 12:42 UTC by chris
Modified: 2021-04-18 09:39 UTC (History)
1 user (show)



Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description chris 2003-05-20 12:42:44 UTC
# Notes: 6 is an aribitrary number.  Less may work better
# Also, if false positives, we might want to pair this with OBFUSCATING_COMMENT
# in a meta test, but I don't think it's needed

rawbody		RepeatedComment		/<\!([^>]*)>.+<\!\1>.+<\!\1>.+<\!
\1>.+<\!\1>.+<\!\1>/is
score		RepeatedComment 	2
describe	RepeatedComment 	Same HTML comment was repeated 6+ times
Comment 1 Daniel Quinlan 2003-05-20 16:38:06 UTC
Subject: Re: [SAdev]  New: Catch repeated obfuscating comments

> Notes: 6 is an aribitrary number.  Less may work better Also, if false
> positives, we might want to pair this with OBFUSCATING_COMMENT in a
> meta test, but I don't think it's needed

Very interesting idea!  We should also try putting some perl code to
catch repeated comments in HTML.pm.  Try both repeated in sequence and
repeated throughout the entire message.  It will probably be cheaper and
perhaps more accurate than using a backtracking rawbody test.

Daniel

Comment 2 chris 2003-05-20 17:00:27 UTC
I suppose we should remove the !s from my test, to fit with the new style 
spams I have seen that format comments <like this>.

Also, I like the idea of coding this test in the Perl code.

Other ideas are to count one-long-word comments, or comments with random non-
letter characters in them.
Comment 3 Daniel Quinlan 2005-03-30 01:08:26 UTC
move bug to Future milestone (previously set to Future -- I hope)
Comment 4 Henrik Krohns 2021-04-18 09:39:25 UTC
Checked this out for fun. Doesn't make any sense with todays HTML mail. Closing.