filter evasion
David Relson
relson at osagesoftware.com
Fri Nov 7 17:19:57 CET 2003
On Fri, 7 Nov 2003 09:43:02 -0600
John McCain <jmccain at layer3al.com> wrote:
> On Thursday 06 November 2003 07:09 pm, David Relson wrote:
> Forgive me if we've been over this, but it seems I am having trouble
> getting my point across.
>
> Ok. <!this_is_an_html_comment> </this_is_an_invalid_html_closing_tag>
> Html parsers, such as those in e-mail readers, will disregard an
> invalid html closing tag. Therefore, they can functionally work as
> comments even though bogofilter doesn't regard them as such.
John,
How are correct vs incorrect closing tags relevant to this problem? The
problem is that the message has "Content-Type: text/plain" while it
contains html. The mailer is lying about message content and violating
the standards. Bogofilter is following the standard and processing the
message in accordance to the Content-Type directive.
Bogofilter ignores the innards of most html tags (with IMG, A, FONT,
HREF being the exceptions). Invalid closing tags don't affect it.
If you have spam with "Content-Type: text/html" and bogofilter is being
confused by invalid closing tags, please share it with us.
> So, if I am Evil Spammer, and I am trying to use the word "ham" in
> non-eyeball space to confuse bogofilter, I can do this:
>
> sp</ham>am
>
> Try your test as above, except replace the bang (!) with a foward
> slash (/), transforming it from a comment into an html closing tag.
Below are the results of testing with bang replaced by slash. I see no
problem.
[relson at osage src]$ cat msg.html.1106.html
Content-Type: text/html
sp</ham>am
[relson at osage src]$ bogolexer -p < msg.html.1106.html
head:Content-Type
head:text
head:html
spam
More information about the Bogofilter
mailing list