filter evasion

[John McCain]

On Thursday 06 November 2003 07:09 pm, David Relson wrote:
> ### here's my very simple test message ###
>
> [relson at osage src]$ cat msg.html.1106.html
> Content-Type: text/html
>
> sp<!ham>am
>
> ### and here's what bogolexer thinks of it ###
>
> [relson at osage src]$ bogolexer -p < msg.html.1106.html
> head:Content-Type
> head:text
> head:html
> spam

Forgive me if we've been over this, but it seems I am having trouble getting 
my point across.

Ok.  <!this_is_an_html_comment> </this_is_an_invalid_html_closing_tag>
Html parsers, such as those in e-mail readers, will disregard an invalid html 
closing tag.  Therefore, they can functionally work as comments even though 
bogofilter doesn't regard them as such.

So, if I am Evil Spammer, and I am trying to use the word "ham" in non-eyeball 
space to confuse bogofilter, I can do this:

sp</ham>am

Try your test as above, except replace the bang (!) with a foward slash (/), 
transforming it from a comment into an html closing tag.