Josh (the blog)

Hey there. I’m Josh, a SydneyCanberra-based maker of Internets. I don’t update this very often.


@joahua

1st ever Gmail spam?

In my account at least, I think.

Spam that snuck past Gmail's filtering using CSS positioning

Note that it displays perfectly and sans any word obfuscation/misspelling as is usual for these things — though I would hasten to add that anyone that follows up aforementioned spam is unlikely to have intelligence enough to avoid something with shifty spelling.

It’s achieved by embedding arbitrary characters in the middle of a word in a span element, and then floating these to the right. It’s only a two-part division at this stage, so it’s fairly trivial to break up keywords into their component parts and match either side of spans occurring in the middle of a word — hardly common in respectable markup. Even if there were more divisions, the fact that they occur without even a space either side of the element should be a giveaway.

The other notable feature is the inversion of “web!master at example dot org (remove the exclamation mark)” concept — here, they’re using it to avoid immediate blacklisting based on a reported domain.

This will in all probability be dealt with soon by people who know far more about it than I, but I thought it an interesting enough development to be worth mention, particularly in a “explaining the absurdity of their markup” sense — this constitutes, for anyone significant who reads this, absolutely no reason for reconsidering the (limited) CSS given to campaign authors as it is best dealt with at a markup level alone.

In terms of minimal impact to legitimate email, this is the only way forward — contrary to what Microsoft might have you believe with their recent brain-deadness concerning Outlook 2007′s rendering engine. (Though we’re all still guessing at the reasoning behind this, and I’m falling closer to the anti-trust separation theory than anything related to security/spam prevention, etc.)