You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Chip M." <sa...@IowaHoneypot.com> on 2010/09/20 09:48:12 UTC
application/octet-stream obfuscated JPEGs
There's a new morph from our old nuisance, the inline PNG/RTF, and
all manner of wavy image insecure-boy-drugs spammer. :(
Here's a sample:
http://puffin.net/software/spam/samples/0009_jpg_oct.txt
It began (here) on Sep 10, and replaced his (relatively boring)
"Your wife photos attached" zipped JPEG.
This time, it has two parts. The first is plain text, with his
often seen before anti-Bayes chunk of text from a copyright expired
book.
The second part is a new-ish spin:
an image using "application/octet-stream" as the Content Type, but
otherwise sanely constructed (i.e. it has a full filename with
".jpg", which is the ACTUAL image encoding used, unlike some of his
previous morphs).
Sadly, I've seen this particular stupid-spammer-trick before...
in ham. :( It's rare enough, and the senders broken enough, that
some may feel comfortable penalizing this pattern (maybe a simple
test of app/oct with an image file extension?). On the other hand,
a significant percentage of the broken mailing lists that use this,
do tend to have high value with their recipients. A cautious score
is advisable.
On a bright note, it does have the exact same JPEG header size that
I've previously reported (623 bytes). It also continues this
spammer's use of random (ALWAYS wrong) Realnames in the To header.
Those two tests, plus nation of origin, are my main test hits.
So far, none have snuck thru my last layers of defense.
- "Chip"
Re: application/octet-stream obfuscated JPEGs
Posted by John Hardin <jh...@impsec.org>.
On Mon, 20 Sep 2010, Chip M. wrote:
> The second part is a new-ish spin:
> an image using "application/octet-stream" as the Content Type, but
> otherwise sanely constructed (i.e. it has a full filename with
> ".jpg", which is the ACTUAL image encoding used, unlike some of his
> previous morphs).
Dangit, I can't believe I didn't include that in my existing obfuscation
rules. Added.
> Sadly, I've seen this particular stupid-spammer-trick before...
> in ham. :( It's rare enough, and the senders broken enough, that
> some may feel comfortable penalizing this pattern (maybe a simple
> test of app/oct with an image file extension?). On the other hand,
> a significant percentage of the broken mailing lists that use this,
> do tend to have high value with their recipients. A cautious score
> is advisable.
meta it with "not mailing list". I'll review masscheck results for that
sort of thing.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The Constitution is a written instrument. As such its meaning does
not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
-----------------------------------------------------------------------
88 days until TRON Legacy