| View previous topic :: View next topic |
| Author |
Message |
denn988
Guest
IP: 66.44.*.*
|
 Posted: Sat Dec 13, 2003 6:28 pm Post subject: Filter for 'white' fonts in msg |
|
|
This might help with another trick the Spammer uses. The trick that I am talking about is the use of 'white' or very light colored fonts to prevent random tracking test from appearing when an HTML message is translated.
| Code: | | <[^>]*?font [^>]*? color=(3D)?["]?(white|#(F[6-8A-F]){3})["?](?# very light colored fonts ) |
his filter will fire whenever the msg changes the font color to white or if they try to use color numbers to change to a very light font color.
These color codes are expressed as RGB using two HEX digits for each color (256 shades per color).
Example colors using this method are:- #000000 =BLACK
- #FF0000 =RED
- #00FF00 =GREEN
- #0000FF =BLUE
- #FFFF00 =YELLOW
- #00FFFF =CYAN
- #FF00FF =MAGENTA
- #FFFFFF =WHITE
The filter will look for any color that has a value of at least F6 (246 DECIMAL) for all three primary RGB colors.
Examples:- #FFFFEF FALSE
- #FFFFFE TRUE
- #FEFEF6 TRUE
- #FEFEF5 FALSE
- #F6F6F6 TRUE
- #F5F6F6 FALSE
The filter, as written, does not look at the background color that the message is using...so there is a possibility that the background of a message could be made dark, and then light lettering could be used.
Most of the legitimate reasons for doing something like that are for company logos....which are usually sent as an image (including text).
While there might be a small chance that a legitimate e-mail my be trapped by this filter....almost all instances that would fire this filter are very strong indicators of SPAM.
Have fun with the filter.....
|
|
| Back to top |
|
 |
denn988
Guest
IP: 66.44.*.*
|
| Posted: Sat Dec 13, 2003 7:11 pm Post subject: |
|
|
To give you a better example of the colors it will trap:
The above should give you a general idea.
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16535
|
| Posted: Sat Dec 13, 2003 9:36 pm Post subject: Re: Filter for 'white' fonts in msg |
|
|
| denn988 wrote: | This might help with another trick the Spammer uses. The trick that I am talking about is the use of 'white' or very light colored fonts to prevent random tracking test from appearing when an HTML message is translated.
| Code: | | <[^>]*?font [^>]*? color=(3D)?["]?(white|#(F[6-8A-F]){3})["?](?# very light colored fonts ) |
|
Thanks for this one Denn988. I've been meaning to look into this SPAMer trick since they like to use it to hide "nice" words, links etc. in the hopes of disquising their "bad" words, links, etc. from filters, especially the Bayesian variety. Again you save me some time!
BTW there are other "common" light colour words besides "white" that could also hide words, links, etc. no?
Also, why are you excluding F9 if F6 - F8 and FA - FF are considered light colours? Shouldn't the regex be:
| Code: | | <[^>]*?font [^>]*? color=(3D)?["]?(white|#(F[6-9A-F]){3})["?](?# very light colored fonts ) |
Anyway, thanks again for this filter!
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16535
|
| Posted: Sat Dec 13, 2003 9:47 pm Post subject: |
|
|
| denn988 wrote: | To give you a better example of the colors it will trap:
--- table snipped to save pixels----
The above should give you a general idea. |
A couple of points:
I know this comment doesn't reflect my gratitude for having some reference point but having the code for each displayed colour would help. Sure I can check the codes by clicking the quote button but then I can't see the colour. .... only if you have the time though.... 
When I look at the colours and what is trapped, it seems to me that the threshold could be moved up a notch.... say to F0 or even E0? Then again an E0E0E0 would be a lot darker than an E0FFFF. Also the font size, type, etc. could make a difference. Thoughts?
|
|
| Back to top |
|
|
denn988 vs. Ikeb
Guest
IP: 66.44.*.*
|
|
| Back to top |
|
|
denn988
Guest
IP: 66.44.*.*
|
| Posted: Sat Dec 13, 2003 11:13 pm Post subject: |
|
|
Ikeb,
By all means...set the thresholds to whatever level you desire...
By the way....that should have been a 9 in the code instead of an 8....Thanks for pointing that out.
| Code: | | <font [^>]*? color=(3D)?["]?(white|#(F[6-9A-F]){3})["?](?# very light colored fonts ) |
|
|
| Back to top |
|
|
denn988
Guest
IP: 66.44.*.*
|
| Posted: Sun Dec 14, 2003 1:13 am Post subject: |
|
|
By the way....that is a 'space' between the [^>]? and the color= ....
Just wanted to make sure that was understood. You want the filter to fire on ' color' and NOT on 'bgcolor'.
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16535
|
| Posted: Sun Dec 14, 2003 3:52 am Post subject: |
|
|
| denn988 wrote: | By the way....that is a 'space' between the [^>]? and the color= ....
Just wanted to make sure that was understood. You want the filter to fire on ' color' and NOT on 'bgcolor'. |
Hehe. Can't forget about bgcolor..... 'Tis another kettle of fish altogether! 
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16535
|
|
| Back to top |
|
|
denn988 vs. Ikeb
Guest
IP: 66.44.*.*
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16535
|
|
| Back to top |
|
|
Ghol
Trooper
Joined: Dec 14, 2003
Posts: 14
Location: Germany
|
| Posted: Sun Dec 14, 2003 4:13 pm Post subject: |
|
|
I'm new to all thisREgExpr stuff, and tried to use the above filter on this HTML: <FONT color=3D#ffffff size=3D2>, but it didn't work until I changed the ["?] to ["]?. Not sure I understand why...
|
|
| Back to top |
|
|
IP: 66.44.*.*
Guest
|
| Posted: Sun Dec 14, 2003 4:56 pm Post subject: |
|
|
| Ghol wrote: | | I'm new to all thisREgExpr stuff, and tried to use the above filter on this HTML: <FONT color=3D#ffffff size=3D2>, but it didn't work until I changed the ["?] to ["]?. Not sure I understand why... |
You may be new...but you did find a mistake in my code.
The part of the expression that reads ["?] would mean that the RegExp is looking for either a " or a ? At least one of them must be present for the expression to be true. That was not what I wanted.
As corrected by you, the ["]? in the expression is looking for a " but it does not have to be there.
That is what I thought I had written...but my eyballs have been getting worse with each passing year. (I think my wife's blindness may be contagious).
The correct RegRxp should read:
| Code: | | <font [^>]*? color=(3D)?["]?(white|#(F[6-9A-F]){3})["]?(?# very light colored fonts ) |
in fact....you could also do the following with no ill effects:
| Code: | | <font [^>]*? color=(3D)?["]?(white|#(F[6-9A-F]){3})(?# very light colored fonts ) |
Thanks for having good troubleshooting skills, Ghol...and for pointing it out... 
|
|
| Back to top |
|
|
Ghol
Trooper
Joined: Dec 14, 2003
Posts: 14
Location: Germany
|
| Posted: Sun Dec 14, 2003 5:04 pm Post subject: |
|
|
Yes, I also guessed there is no need to include the second set of inverted commas.
Would you believe it, I got my first "hit" with the filter just 20 minutes ago, almost immediately after putting it in place!
As I analysed the HTML in an editor, I realised you could surely couple the light colour filter with a darker "bgcolor" filter, so that it wouldn't fire if the background made the text legible....
i.e. If the filter registered (previous to the lighter text) the presence of something approaching bgcolor=#000000, it would allow it through.
|
|
| Back to top |
|
|
denn988
Guest
IP: 66.44.*.*
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
