You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mark London <mr...@psfc.mit.edu> on 2018/12/10 17:45:53 UTC
Another form of obfuscation email.
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.
https://pastebin.com/VURwmrrF
I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is
why the message got a high spam rating. By default though, that rule
is disabled (score = 0). Without that, the email would have gotten
through.
Rule T_MIXED_ES was triggered. But that rule has too many false
positives to be of any use (IMHO, from looking at my spam logs).
Thanks! - Mark
Re: Another form of obfuscation email.
Posted by John Hardin <jh...@impsec.org>.
On Mon, 10 Dec 2018, Mark London wrote:
> Hi - Here's another form of obfuscation spam. This time, not a porn
> blackmail one. Almost the whole text is obfuscated.
>
> https://pastebin.com/VURwmrrF
__UNICODE_OBFU_ASC hits that pretty well, but the FP avoidance for the
scored version was a bit too aggressive. Fixed.
> I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is why
> the message got a high spam rating. By default though, that rule is
> disabled (score = 0). Without that, the email would have gotten through.
HTML_OBFUSCATE_90_100 gets no hits in the masscheck corpus. Potentially we
should set a fixed override score for it.
I've tweaked a couple of other rules that this hit that were either
testing-only or filtered out. It should score higher soon.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
5 days until Bill of Rights day
Re: Another form of obfuscation email.
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 11 Dec 2018, at 7:52, RW wrote:
> On Mon, 10 Dec 2018 16:02:33 -0500
> Bill Cole wrote:
>
>> On 10 Dec 2018, at 14:13, RW wrote:
>>
>>> On Mon, 10 Dec 2018 12:45:53 -0500
>>> Mark London wrote:
>>>
>>>> Hi - Here's another form of obfuscation spam. This time, not a
>>>> porn blackmail one. Almost the whole text is obfuscated.
>>>>
>>>> https://pastebin.com/VURwmrrF
>>>>
>>>
>>> You say obfuscated, but it looked completely unreadable to me.
>>
>> The text/plain part is garbage, but the text/html part renders to a
>> mostly readable phish.
>
> I see it depends on the client,
Yes. For easy readability, the HTML renderer must honor styling
attributes instructing it to draw some characters inside words as
invisible and zero-width. This provides a handle for a 'rawbody' rule
and there are rules in the 'nonKAM' set that Kevin curates which catch
on that mail almost accidentally...
> this is a typical line as rendered by
> claws-mail:
>
> Ρnflе2аgѕsе Сal3ісκml Неvге tsο9 геdνіеywtv
> thіѕ а3rсt4іν5qіxtуv аndv2
> uf0ροsn νегvіfісiаtzіv9οtn, wе wfіl049l гsеmοoνеl
> а9nу
> ге2ѕittгhісt02іοoni2ѕ ρlnlас5е4d οnsz9 уοvuoгz
> ρгοfoіolе.
>
>
> SpamAssassin renders the body text similarly.
Yes, and that should provide places to hang 'body' rules for someone
with the time & skill to write them. Bayes could in principle do the
work, except for the problem of the inserts acting like crypto 'salt'
does for thwarting pre-calculated hash tables.
Re: Another form of obfuscation email.
Posted by RW <rw...@googlemail.com>.
On Mon, 10 Dec 2018 16:02:33 -0500
Bill Cole wrote:
> On 10 Dec 2018, at 14:13, RW wrote:
>
> > On Mon, 10 Dec 2018 12:45:53 -0500
> > Mark London wrote:
> >
> >> Hi - Here's another form of obfuscation spam. This time, not a
> >> porn blackmail one. Almost the whole text is obfuscated.
> >>
> >> https://pastebin.com/VURwmrrF
> >>
> >
> > You say obfuscated, but it looked completely unreadable to me.
>
> The text/plain part is garbage, but the text/html part renders to a
> mostly readable phish.
I see it depends on the client, this is a typical line as rendered by
claws-mail:
Ρnflе2аgѕsе Сal3ісκml Неvге tsο9 геdνіеywtv thіѕ а3rсt4іν5qіxtуv аndv2
uf0ροsn νегvіfісiаtzіv9οtn, wе wfіl049l гsеmοoνеl а9nу
ге2ѕittгhісt02іοoni2ѕ ρlnlас5е4d οnsz9 уοvuoгz ρгοfoіolе.
SpamAssassin renders the body text similarly.
Re: Another form of obfuscation email.
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 10 Dec 2018, at 14:13, RW wrote:
> On Mon, 10 Dec 2018 12:45:53 -0500
> Mark London wrote:
>
>> Hi - Here's another form of obfuscation spam. This time, not a porn
>> blackmail one. Almost the whole text is obfuscated.
>>
>> https://pastebin.com/VURwmrrF
>>
>
> You say obfuscated, but it looked completely unreadable to me.
The text/plain part is garbage, but the text/html part renders to a
mostly readable phish.
--
Bill Cole
Re: Another form of obfuscation email.
Posted by RW <rw...@googlemail.com>.
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:
> Hi - Here's another form of obfuscation spam. This time, not a porn
> blackmail one. Almost the whole text is obfuscated.
>
> https://pastebin.com/VURwmrrF
>
You say obfuscated, but it looked completely unreadable to me.