You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "John D. Hardin" <jh...@impsec.org> on 2006/12/19 23:50:28 UTC
yet another stupid spammer trick
http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
6 days until Christmas
Re: yet another stupid spammer trick
Posted by John Rudd <jr...@ucsc.edu>.
Duncan Hill wrote:
> On Wednesday 20 December 2006 06:50, John Rudd wrote:
>> John D. Hardin wrote:
>>> http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt
>> I'm seeing a few of these today too. In fact, at home, I've had maybe 5
>> spam messages slip through my defenses today. That's a HUGE increase
>> for me ... I usually average 1 message every week.
>>
>
>> 3) just the natural evolution of spam
>
> I'm in favour of this, as I've been seeing the 'lets attack bad forms' spam
> for several months. I've given up trying to LART the hosts of the forms,
> they never seem to respond. Thank $deity I'm a paranoid programmer and don't
> trust user input for web forms :)
I wonder if there's an RBL that's collecting those addresses.
Re: yet another stupid spammer trick
Posted by Duncan Hill <sa...@nacnud.force9.co.uk>.
On Wednesday 20 December 2006 06:50, John Rudd wrote:
> John D. Hardin wrote:
> > http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt
>
> I'm seeing a few of these today too. In fact, at home, I've had maybe 5
> spam messages slip through my defenses today. That's a HUGE increase
> for me ... I usually average 1 message every week.
>
> 3) just the natural evolution of spam
I'm in favour of this, as I've been seeing the 'lets attack bad forms' spam
for several months. I've given up trying to LART the hosts of the forms,
they never seem to respond. Thank $deity I'm a paranoid programmer and don't
trust user input for web forms :)
Re: yet another stupid spammer trick
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 20 Dec 2006, John Rudd wrote:
> 6) a small score (0.5?) if the sender address contains "web" or "www".
I'd add the same check against the Received: headers.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
5 days until Christmas
Re: yet another stupid spammer trick
Posted by John Rudd <jr...@ucsc.edu>.
John D. Hardin wrote:
> On Tue, 19 Dec 2006, John Rudd wrote:
>
>> John D. Hardin wrote:
>>> http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt
>> I'm seeing a few of these today too. In fact, at home, I've had
>> maybe 5 spam messages slip through my defenses today. That's a
>> HUGE increase for me ... I usually average 1 message every week.
>
> It is worth it to add some rules to score for screwed-up spams like
> this? (other headers embedded in the Subject: header)
>
There already appears to be a "very long header" rule (HEAD_LONG).
How about rules for:
1) 2 or so points for "more than 3 :'s in any header" -> /(?:.*:){3,}/
2) 3 or so points for mime header text inside of other headers, such as:
From: "Content-Transfer-Encoding: 7bit "@h677477.serverkompetenz.net
To:
Content-Transfer-Encoding:7bit.Content-Type:text/plain.Subject:hey.bcc:
3) a small score (0.5?) for "body contains a line that looks like a
misplaced bcc line" -> /^bcc: /i
4) a small score (0.2?) for "body contains many email addresses in a
row, esp. with no spacing between them".
5) a small score (0.5?) for "a text/plain message that contains
/^Content-type: / in the body"
6) a small score (0.5?) if the sender address contains "web" or "www".
7) increase the value of "TO_CC_NONE" (0.1 to 1.0?), "TO_EMPTY" (0.1 to
1.0?), and "HEAD_LONG" (2.5 to 3.0?)
Do those seem reasonable? (and if someone writes them up, let me know ... )
Re: yet another stupid spammer trick
Posted by "John D. Hardin" <jh...@impsec.org>.
On Tue, 19 Dec 2006, John Rudd wrote:
> John D. Hardin wrote:
> > http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt
>
> I'm seeing a few of these today too. In fact, at home, I've had
> maybe 5 spam messages slip through my defenses today. That's a
> HUGE increase for me ... I usually average 1 message every week.
It is worth it to add some rules to score for screwed-up spams like
this? (other headers embedded in the Subject: header)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
5 days until Christmas
Re: yet another stupid spammer trick
Posted by John Rudd <jr...@ucsc.edu>.
John D. Hardin wrote:
> http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt
>
I'm seeing a few of these today too. In fact, at home, I've had maybe 5
spam messages slip through my defenses today. That's a HUGE increase
for me ... I usually average 1 message every week.
Sort of makes me wonder if:
1) this was partially being contained by ORDB calling those sites open
relays
2) this is a reaction to how well Botnet is doing at tracking spambots
(but that might just be my ego being hopeful)
3) just the natural evolution of spam
4) a combination of the above
Re: yet another stupid spammer trick
Posted by Ray Anderson <rs...@rb-com.com>.
Kelson,
My apologies. As I looked at my own reply, my response to your e-mail
made it look like I wrote the great background information that you did
and I just wanted to publicly give you credit for the elaborate and well
thought out response.
I was merely agreeing with you and posting a link with more info.
-=Ray
Ray Anderson wrote:
> This looks like a failed header injection attack.
>
> Some background: Lots of web form handlers, including the most basic
> Perl and PHP tools, will build the headers and body of a message as
> one long string, then pass it to Sendmail. If a form allows
> user-supplied data for any header content -- most often a subject, a
> sender's name or email address -- and the form does not properly
> sanitize the input, an attacker can add a newline to the data and
> build up their own headers and message body.
>
> ---------------snip--------------
>
> Absolutely what I was trying to say earlier.
>
> A _great_ article on the matter is here:
>
> http://www.securephpwiki.com/index.php/Email_Injection
>
> -=Ray
>>
>
Re: yet another stupid spammer trick
Posted by "John D. Hardin" <jh...@impsec.org>.
On Tue, 19 Dec 2006, Ray Anderson wrote:
> This looks like a failed header injection attack.
>
> Some background: Lots of web form handlers, including the most basic
> Perl and PHP tools, will build the headers and body of a message as one
> long string, then pass it to Sendmail.
Ah, okay, the light goes on.
That's also supported by this:
> Received: (from www@localhost)
> by pflock.pfadi.ch (8.12.11/8.12.11/Submit) id kBJMHFr4016111;
> Tue, 19 Dec 2006 23:17:15 +0100 (CET)
> (envelope-from www)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
6 days until Christmas
Re: yet another stupid spammer trick
Posted by Ray Anderson <rs...@rb-com.com>.
This looks like a failed header injection attack.
Some background: Lots of web form handlers, including the most basic
Perl and PHP tools, will build the headers and body of a message as one
long string, then pass it to Sendmail. If a form allows user-supplied
data for any header content -- most often a subject, a sender's name or
email address -- and the form does not properly sanitize the input, an
attacker can add a newline to the data and build up their own headers
and message body.
---------------snip--------------
Absolutely what I was trying to say earlier.
A _great_ article on the matter is here:
http://www.securephpwiki.com/index.php/Email_Injection
-=Ray
>
Re: yet another stupid spammer trick
Posted by Kelson <ke...@speed.net>.
John D. Hardin wrote:
> http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt
> Clumsy (and stupid) people can manage to put the entire body of their message
> into the Subject: header (how they don't notice the mistake before hitting
> [SEND] I don't know), but *this* genius spammer managed to paste not only the
> spam body, but the C-T-E and C-T headers, the blind CC: list, and *two*
> different subjects into the Subject: header.
This looks like a failed header injection attack.
Some background: Lots of web form handlers, including the most basic
Perl and PHP tools, will build the headers and body of a message as one
long string, then pass it to Sendmail. If a form allows user-supplied
data for any header content -- most often a subject, a sender's name or
email address -- and the form does not properly sanitize the input, an
attacker can add a newline to the data and build up their own headers
and message body.
An attacker might fill in the name field with this:
"Fakename
bcc: target addresses
Subject: Buy our stuff!
Big long sales pitch
goes on forever."
That gets plugged in, and the spammer hijacks the form to do his
bidding. OK, so there's some "garbage" from the original form way at
the end, but what does he care?
The website can foil this in one of two ways:
1. Reject submissions that include newline characters in any field that
will go in the headers.
2. Remove newline characters from any field that will go in the headers.
Solution #2 results in the entire long header being inserted into the
subject -- just like the sample you posted.
Incidentally, "Eine eCard von" is German for "An eCard from". If I were
to guess, someone tried to hijack an eCard form, they used solution #2,
and you got the "lucky" address that was actually put in the original
"To" field.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>