Fixed Spam filters regard transparent text in emails as spammy

Xon

Well-known member
Affected version
2.2.2
Xenforo supports [color=transparent]example[/color], which renders as "example".

However this triggers the spamassassin rule;

HTML_TEXT_INVISIBLE_FONT -> HTML hidden text - word obfuscation
 
The current SpamAssassin rule appears to be looking at this regular expression:
Code:
/<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
That is, in this case it's looking for the literal color:transparent that gets generated (or a bunch of other similar things relating to font sizes). By default, I think it also only trips if it matches at least twice.

A simple fix might be to skip rendering color=transparent sections in email at all, leaving them to only show on the forum.

A stupid fix is to take advantage of the fact that it only allows up to 80 characters after the color:transparent is found and add something like data-xenforo="user-submitted transparent tag as part of a forum post, included as-is" to the end of the tag, but that will likely only work on SpamAssassin and not on everything that looks for "transparent" text.

A more complicated fix is to render transparent text as spoilers instead, which has the benefit of making it obvious to the recipient that the text is there in the first place.
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.6).

Change log:
Do not allow transparent or system colors to be used in the color BB code.
There may be a delay before changes are rolled out to the XenForo Community.
 
Just to clarify, this is more general than just emails -- "transparent" as a [COLOR] will now be ignored, as will other system colors ("ActiveText", "HighlightText", "currentColor" etc) as they really aren't the intended/expected usage. For the general text match, we're expecting one of the standard, known colors. Allowing these was not indented/expected.

Outside of spam, it's possible that "transparent" was used as some sort of alternate spoiler system, but [ISPOILER] would be designed to cover that case.

(If you really need these colors, it should be possible to override the behavior with an add-on.)
 
transparent as a color is non-uncommonly used on my forums, so looks like I'll need to bundle an option into one of my add-ons for this.
 
Top Bottom