4883 – new rules: span float obfuscation

Bug 4883 - new rules: span float obfuscation

Summary: new rules: span float obfuscation

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	unspecified
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-04-29 11:10 UTC by MATSUDA Yoh-ichi
Modified:	2006-05-19 12:39 UTC (History)
CC List:	0 users

Attachment	Type	Actions	Submitter/CLA Status
This attachment is a sample spam.	text/plain	None	MATSUDA Yoh-ichi
Obfuscation rules	text/plain	None	Martin Blapp
Mutation. Float is now in font instead of span.	text/plain	None	Kenneth Porter
Mutation: more characters between spans	text/plain	None	Kenneth Porter
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description MATSUDA Yoh-ichi 2006-04-29 11:10:15 UTC

http://mail-archives.apache.org/mod_mbox/spamassassin-users/200604.mbox/%3c20060423.153627.71087229.yoh@flcl.org%3e

Below rules are catching <span float> spams.

rawbody ___OBFUSCATING_FLOAT0 /<span style=\"border: 0px\; float/
rawbody ___OBFUSCATING_FLOAT1 /^: right\"> \w <\/span>/
meta OBFUSCATING_FLOAT ___OBFUSCATING_FLOAT0 && ___OBFUSCATING_FLOAT1 
describe OBFUSCATING_FLOAT <span style="border: 0px; float: right"> d </span>
score OBFUSCATING_FLOAT 1.5

rawbody FLOATGEOCITIES /^<A href=\"http:\/\/geocities\.com\/\w+\/\">\w+<span
style=\"border: 0px\; float/
describe FLOATGEOCITIES <A href="http://geocities.com/GabicRectohoate/">V<span
style="border: 0px; float
score FLOATGEOCITIES 2.0

rawbody FLOAT_A_HREF /^<A href=\"http:\/\/(www\.){0,1}\w+\.(com|net)">\w+<span
style=\"border: 0px\; float/
describe FLOAT_A_HREF <A href="http://www.h75h.net">Vi<span style="border: 0px;
float
score FLOAT_A_HREF 2.0

meta MULTIFLOAT99 MULTIPART_ALTERNATIVE && OBFUSCATING_FLOAT && BAYES_99
score MULTIFLOAT99 3.5

meta OBFUSGEOFLOAT OBFUSCATING_FLOAT && (FLOATGEOCITIES || FLOAT_A_HREF)
score OBFUSGEOFLOAT 3.5

Comment 1 MATSUDA Yoh-ichi 2006-04-29 11:21:14 UTC

Created attachment 3494 [details]
This attachment is a sample spam.

This attachment is a sample spam.

And, please ignore the rule "MULTIFLOAT99", it's my mistake.

Comment 2 Martin Blapp 2006-04-29 20:01:45 UTC

Created attachment 3495 [details]
Obfuscation rules

Please try out my obfu rules. I use them to catch all recent HTML obfuscation.

Comment 3 Martin Blapp 2006-05-01 11:58:58 UTC

Comment on attachment 3495 [details]
Obfuscation rules

Match the newest variants too ...

rawbody __A_HTML	/> *A *</i
rawbody __B_HTML	/> *B *</i
rawbody __C_HTML	/> *C *</i
rawbody __D_HTML	/> *D *</i
rawbody __E_HTML	/> *E *</i
rawbody __F_HTML	/> *F *</i
rawbody __G_HTML	/> *G *</i
rawbody __H_HTML	/> *H *</i
rawbody __I_HTML	/> *I *</i
rawbody __J_HTML	/> *J *</i
rawbody __K_HTML	/> *K *</i
rawbody __L_HTML	/> *L *</i
rawbody __M_HTML	/> *M *</i
rawbody __N_HTML	/> *N *</i
rawbody __O_HTML	/> *O *</i
rawbody __P_HTML	/> *P *</i
rawbody __Q_HTML	/> *Q *</i
rawbody __R_HTML	/> *R *</i
rawbody __S_HTML	/> *S *</i
rawbody __T_HTML	/> *T *</i
rawbody __U_HTML	/> *U *</i
rawbody __V_HTML	/> *V *</i
rawbody __W_HTML	/> *W *</i
rawbody __X_HTML	/> *X *</i
rawbody __Y_HTML	/> *Y *</i
rawbody __Z_HTML	/> *Z *</i
rawbody __DOLLAR_HTML	/> *\$[0-9]+ *</i

meta		SCHAR_HTML_1	(__DOLLAR_HTML || __TM2_MISC_INVISI_COLOR) &&
(__A_HTML + __B_HTML + __C_HTML + __D_HTML + __E_HTML + __F_HTML + __G_HTML +
__H_HTML + __I_HTML + __J_HTML + __K_HTML + __L_HTML + __M_HTML + __N_HTML +
__O_HTML + __P_HTML + __Q_HTML + __R_HTML + __S_HTML + __T_HTML + __U_HTML +
__V_HTML + __W_HTML + __W_HTML + __X_HTML + __Y_HTML + __Z_HTML >= 5)
score		SCHAR_HTML_1		0.500
describe	SCHAR_HTML_1		Obfuscated HTML (5)

meta		SCHAR_HTML_2	(__DOLLAR_HTML || __TM2_MISC_INVISI_COLOR) &&
(__A_HTML + __B_HTML + __C_HTML + __D_HTML + __E_HTML + __F_HTML + __G_HTML +
__H_HTML + __I_HTML + __J_HTML + __K_HTML + __L_HTML + __M_HTML + __N_HTML +
__O_HTML + __P_HTML + __Q_HTML + __R_HTML + __S_HTML + __T_HTML + __U_HTML +
__V_HTML + __W_HTML + __W_HTML + __X_HTML + __Y_HTML + __Z_HTML >= 10)
score		SCHAR_HTML_2		2.000
describe	SCHAR_HTML_2		Obfuscated HTML (10)

meta		SCHAR_HTML_3	(__DOLLAR_HTML || __TM2_MISC_INVISI_COLOR) &&
(__A_HTML + __B_HTML + __C_HTML + __D_HTML + __E_HTML + __F_HTML + __G_HTML +
__H_HTML + __I_HTML + __J_HTML + __K_HTML + __L_HTML + __M_HTML + __N_HTML +
__O_HTML + __P_HTML + __Q_HTML + __R_HTML + __S_HTML + __T_HTML + __U_HTML +
__V_HTML + __W_HTML + __W_HTML + __X_HTML + __Y_HTML + __Z_HTML >= 15)
score		SCHAR_HTML_3		5.000
describe	SCHAR_HTML_3		Obfuscated HTML (15)

full		OBFU_FLOAT		/<(?:span|font)[\t\s
]+style=.{1,20}[\s\t ]*float[\s\t ]*:[\s\t
]*right"[^>]*>[^<]+<\/(?:span|font)>/i
score		OBFU_FLOAT		5.000
describe	OBFU_FLOAT		Obfuscated SPAM with float style.

full		__OBFU_SPAN_1		/<span[^>]{1,100}>[a-z]<\/span>/i
full		__OBFU_SPAN_2		/<span[^>]{1,100}>[a-z]{2}<\/span>/i
full		__OBFU_SPAN_3		/<span[^>]{1,100}>[a-z]{3}<\/span>/i
full		__OBFU_SPAN_4		/<\/span><\/a>/i
meta		OBFU_SPAN_1		(__OBFU_SPAN_1 + __OBFU_SPAN_2 +
__OBFU_SPAN_3 - __OBFU_SPAN_4 == 3)
meta		OBFU_SPAN_2		(__OBFU_SPAN_1 + __OBFU_SPAN_2 +
__OBFU_SPAN_3 + __OBFU_SPAN_4 == 4)
score		OBFU_SPAN_1		3.000
score		OBFU_SPAN_2		5.000
describe	OBFU_SPAN_1		Obfuscated SPAN tables
describe	OBFU_SPAN_2		Obfuscated SPAN tables with Link

Comment 4 Kenneth Porter 2006-05-01 15:19:20 UTC

Similar bugs:

bug 4868 (visibility:hidden)
bug 3139 (display:none and font size of zero or one)
bug 3661 (test type discussion)

This bug is the only one I've found that addresses obfuscation using the float
attribute.

Comment 5 Kenneth Porter 2006-05-04 16:03:47 UTC

Created attachment 3511 [details]
Mutation. Float is now in font instead of span.

Float right is now inside a font tag (size 2) instead of a span. Note that this
also has the subject line ending in "news", a strong spam sign for this
ratware.

Comment 6 Theo Van Dinter 2006-05-04 16:57:54 UTC

fwiw, there are already some rules in testing for this type of stuff, and I just
added some more this afternoon for the float thing.  all of the given samples
hit those rules.

Comment 7 Kenneth Porter 2006-05-19 10:59:43 UTC

Created attachment 3518 [details]
Mutation: more characters between spans

Not caught by TVD_SINGLE_SPAN of 20060504, which only looks for a single alpha
between span tags. That rule is:

# holy crap. ;)
# 4.686   5.5463   0.0000    1.000   1.00    0.01  TVD_SINGLE_SPAN
rawbody TVD_SINGLE_SPAN /<\/span>\s*[a-zA-Z]\s*<span\b/i

Comment 8 Theo Van Dinter 2006-05-19 15:05:06 UTC

(In reply to comment #7)
> Not caught by TVD_SINGLE_SPAN of 20060504, which only looks for a single alpha
> between span tags. That rule is:

it is, however, caught by TVD_SINGLE_SPAN_DIV :)

Comment 9 Kenneth Porter 2006-05-19 16:21:46 UTC

Ah, I need to update to your latest sandbox, then! ;)

For lurkers, here's the place to get the aforementioned rule:

http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felicity/70_other.cf

Comment 10 Theo Van Dinter 2006-05-19 19:39:03 UTC

(In reply to comment #9)
> Ah, I need to update to your latest sandbox, then! ;)
> 
> For lurkers, here's the place to get the aforementioned rule:
> 
> http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felicity/70_other.cf

or you can just run sa-update.  btw, responding to an old, resolved, ticket isn't the way to go for this stuff 
usually.