So, when do we start handling [dot] in a URI

[Bret Miller <br...@wcg.org>]

Seems spammers have taken up to doing what many of us have in posting
e-mail addresses, putting [dot] instead of the . in the URL and telling
people to replace it like this:

Welcome!

[E]rectile
[D]ysfunction?

We can help! Our site: ochhorfando[dot]com ;) Don't forget to replace
"[dot]" to "."

Spam sample here: http://webmail.wcg.org/~support/15292-P.txt

Maybe time to start working on the URI parser to catch baddomain.com and
baddomain[dot]com and probably other variations (dot), -dot-, {dot}, and
whatever else you might think they'd use to delimit the dot.

Bret

Re: So, when do we start handling [dot] in a URI

[Kai Schaetzl <ma...@conactive.com>]

Bart Schaefer wrote on Fri, 12 May 2006 15:53:43 -0700:

> (1) Website maintainer uses technique X to obsure addresses on his site. 

This has nothing to do with the topic. It's only that you think it is the 
same. It is not, it's completely unrelated.

> (2) Spammer notices that his harvester failed to "decrypt" X. 

Again, this has nothing to do with the topic.

> (3) Spammer copies technique X and uses it to obscure his spam. 

No, he doesn't "copy". Spammers use obfuscation techniques since long.

> (4) SA programmer devises a way to decrypt X to block the spam. 

No. It just makes a testable URL from it.

> (5) Spammer copies algorithm from SA into his address harvester.

Hah? We are talking about completely different things here: http URIs and 
mail URIs.
 
You are confusing two things. What someone does to not get his address 
harvested is a completely different matter from any URI obfuscation in 
spam. There is *nothing* to "copy". SA *is* all about removing and 
detecting obfuscation and it looks up URIs in SURBL.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: So, when do we start handling [dot] in a URI

[jdow <jd...@earthlink.net>]

From: "John Rudd" <jr...@ucsc.edu>
> 
> On May 12, 2006, at 15:53, Bart Schaefer wrote:
> 
>> On 5/12/06, Kai Schaetzl <ma...@conactive.com> wrote:
>>> Bart Schaefer wrote on Fri, 12 May 2006 07:34:05 -0700:
>>>
>>> > So now that the spammers are using our own defenses against us, you
>>> > suggest that we should invent the technology to defeat those 
>>> defenses?
>>>
>>> What's there to "invent"? The point is that these need to be 
>>> identified as
>>> URI. So, convert to URI and then lookup in SURBL.
>>
>> It just seems like a useless rathole to go down.
>>
>> (1) Website maintainer uses technique X to obsure addresses on his 
>> site.
>> (2) Spammer notices that his harvester failed to "decrypt" X.
>> (3) Spammer copies technique X and uses it to obscure his spam.
>> (4) SA programmer devises a way to decrypt X to block the spam.
>> (5) Spammer copies algorithm from SA into his address harvester.
>> (6) Website maintainer starts getting spam, so he devises a new X.
>> (7) Repeat at (1).
>>
> 
> Except I'm willing to bet that we have already seen steps 1,2,5a,6,7 a 
> few times  (where 5a is "spammer writes his own method for decrypting 
> X").  The simple mechanisms mentioned in 1 are ... simple.  Which is 
> why there have already been 3 or 4 go-arounds of step 6 (using simple 
> substitutions; using &codes; using images, etc.).
> 
> The only difference is that now SA is going to jump into this 
> particular arms-race, after having missed a few rounds of it.
> 
> (and, frankly, it's a non-issue to me ... the mechanisms mentioned at 
> step 1 and 6 are silly ... I'd much rather fight spam at the email 
> gateway, than at the "hide my email address" phase)
> 
> (actually, I think it's worse than silly, but I'm not in a bad enough 
> mood to say what I really think of it)

There are some further rounds I am fully expecting. So don't worry.
The merry-go-round is still going around. And nobody's captured the
brass ring.

{^_^}

Re: So, when do we start handling [dot] in a URI

[John Rudd <jr...@ucsc.edu>]

On May 12, 2006, at 15:53, Bart Schaefer wrote:

> On 5/12/06, Kai Schaetzl <ma...@conactive.com> wrote:
>> Bart Schaefer wrote on Fri, 12 May 2006 07:34:05 -0700:
>>
>> > So now that the spammers are using our own defenses against us, you
>> > suggest that we should invent the technology to defeat those 
>> defenses?
>>
>> What's there to "invent"? The point is that these need to be 
>> identified as
>> URI. So, convert to URI and then lookup in SURBL.
>
> It just seems like a useless rathole to go down.
>
> (1) Website maintainer uses technique X to obsure addresses on his 
> site.
> (2) Spammer notices that his harvester failed to "decrypt" X.
> (3) Spammer copies technique X and uses it to obscure his spam.
> (4) SA programmer devises a way to decrypt X to block the spam.
> (5) Spammer copies algorithm from SA into his address harvester.
> (6) Website maintainer starts getting spam, so he devises a new X.
> (7) Repeat at (1).
>

Except I'm willing to bet that we have already seen steps 1,2,5a,6,7 a 
few times  (where 5a is "spammer writes his own method for decrypting 
X").  The simple mechanisms mentioned in 1 are ... simple.  Which is 
why there have already been 3 or 4 go-arounds of step 6 (using simple 
substitutions; using &codes; using images, etc.).

The only difference is that now SA is going to jump into this 
particular arms-race, after having missed a few rounds of it.

(and, frankly, it's a non-issue to me ... the mechanisms mentioned at 
step 1 and 6 are silly ... I'd much rather fight spam at the email 
gateway, than at the "hide my email address" phase)

(actually, I think it's worse than silly, but I'm not in a bad enough 
mood to say what I really think of it)

Re: So, when do we start handling [dot] in a URI

[Bart Schaefer <ba...@gmail.com>]

On 5/12/06, jdow <jd...@earthlink.net> wrote:
>
> << jdow >> And you propose we do what instead?

Look for other characteristics of the messages that could be filtered.
 I haven't seen any of these spams, so I don' t know what those might
be, but this can hardly be the *only* thing the spammer is doing.
It's just the one that jumped out as obvious.  But it's also the one
that's likely to be easiest to mutate rapidly, so it's probably the
worst one to attack.

Re: So, when do we start handling [dot] in a URI

[jdow <jd...@earthlink.net>]

From: "Bart Schaefer" <ba...@gmail.com>

On 5/12/06, Kai Schaetzl <ma...@conactive.com> wrote:
> Bart Schaefer wrote on Fri, 12 May 2006 07:34:05 -0700:
>
> > So now that the spammers are using our own defenses against us, you
> > suggest that we should invent the technology to defeat those defenses?
>
> What's there to "invent"? The point is that these need to be identified as
> URI. So, convert to URI and then lookup in SURBL.

It just seems like a useless rathole to go down.

(1) Website maintainer uses technique X to obsure addresses on his site.
(2) Spammer notices that his harvester failed to "decrypt" X.
(3) Spammer copies technique X and uses it to obscure his spam.
(4) SA programmer devises a way to decrypt X to block the spam.
(5) Spammer copies algorithm from SA into his address harvester.
(6) Website maintainer starts getting spam, so he devises a new X.
(7) Repeat at (1).

<< jdow >> And you propose we do what instead?

{^_^}   Don't whine, solve.

Re: So, when do we start handling [dot] in a URI

[Bart Schaefer <ba...@gmail.com>]

On 5/12/06, Kai Schaetzl <ma...@conactive.com> wrote:
> Bart Schaefer wrote on Fri, 12 May 2006 07:34:05 -0700:
>
> > So now that the spammers are using our own defenses against us, you
> > suggest that we should invent the technology to defeat those defenses?
>
> What's there to "invent"? The point is that these need to be identified as
> URI. So, convert to URI and then lookup in SURBL.

It just seems like a useless rathole to go down.

(1) Website maintainer uses technique X to obsure addresses on his site.
(2) Spammer notices that his harvester failed to "decrypt" X.
(3) Spammer copies technique X and uses it to obscure his spam.
(4) SA programmer devises a way to decrypt X to block the spam.
(5) Spammer copies algorithm from SA into his address harvester.
(6) Website maintainer starts getting spam, so he devises a new X.
(7) Repeat at (1).

Re: So, when do we start handling [dot] in a URI

[Kai Schaetzl <ma...@conactive.com>]

Rick Measham wrote on Sat, 13 May 2006 12:38:16 +1000:

> Why bother with the lookup? Any mail that has something that looks 
> enough like an obfuscated URL that we'd want to look it up should ring 
> alarm bells that we don't need to look it up ..

You *can* do that. But that's a different matter. The one is detection of 
some obfuscation and scoring that and the other is converting "something" 
to a URL that can be looked up in SURBL. Two different things.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: So, when do we start handling [dot] in a URI

[Rick Measham <ri...@measham.id.au>]

Kai Schaetzl wrote:
> What's there to "invent"? The point is that these need to be identified as 
> URI. So, convert to URI and then lookup in SURBL.

Why bother with the lookup? Any mail that has something that looks 
enough like an obfuscated URL that we'd want to look it up should ring 
alarm bells that we don't need to look it up ..

Cheers!
Rick Measham

Re: So, when do we start handling [dot] in a URI

[Kai Schaetzl <ma...@conactive.com>]

Bart Schaefer wrote on Fri, 12 May 2006 07:34:05 -0700:

> So now that the spammers are using our own defenses against us, you 
> suggest that we should invent the technology to defeat those defenses?

What's there to "invent"? The point is that these need to be identified as 
URI. So, convert to URI and then lookup in SURBL.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: So, when do we start handling [dot] in a URI

[Magnus Holmgren <ho...@lysator.liu.se>]

Friday 12 May 2006 16:38m Theo Van Dinter wrote:
> However, I don't really think we need to have SA doing this.  IMO, if
> spammers have to resort to obfuscating their domains in such a way that
> people need to actively copy/paste/edit/copy/paste to get to their site...

They already ofuscate their messages so badly that you'd have to be more than 
stupid to take them as serious business. Yet some people buy from them.

But maybe ... maybe those who are stupid enough to fall for spam offers are 
too stupid to follow the directions? Then again, maybe they aren't stupid, 
just desperate.

-- 
Magnus Holmgren
holmgren@lysator.liu.se

Re: So, when do we start handling [dot] in a URI

[Rick Measham <ri...@measham.id.au>]

Theo Van Dinter wrote:
> However, I don't really think we need to have SA doing this.  IMO, if
> spammers have to resort to obfuscating their domains in such a way that
> people need to actively copy/paste/edit/copy/paste to get to their site...

If that's the theory, then why bother with SA at all? Surely people are 
smart enough to recognise 99% of spam in the first place, they just 
don't want it. If spammers are obfuscating URLs and there's no other 
matches that trigger other rules, then SA needs to find obfuscated URLs

Cheers!
Rick Measham

Re: So, when do we start handling [dot] in a URI

[Theo Van Dinter <fe...@apache.org>]

On Fri, May 12, 2006 at 07:34:05AM -0700, Bart Schaefer wrote:
> So now that the spammers are using our own defenses against us, you
> suggest that we should invent the technology to defeat those defenses?
> And *then* what happens?

I haven't tried it, but always thought that detecting the straightforward
ones would be pretty trivial.  I'd be surprised if this hasn't already
been handled by spam harvesters.

However, I don't really think we need to have SA doing this.  IMO, if
spammers have to resort to obfuscating their domains in such a way that
people need to actively copy/paste/edit/copy/paste to get to their site...

-- 
Randomly Generated Tagline:
"People who have more power than you do are hard to subvert easily."
                                         - Elizabeth Zwicky at LISA '99

Re: So, when do we start handling [dot] in a URI

[Bart Schaefer <ba...@gmail.com>]

On 5/12/06, Bret Miller <br...@wcg.org> wrote:
> Seems spammers have taken up to doing what many of us have in posting
> e-mail addresses, putting [dot] instead of the . in the URL and telling
> people to replace it

Gosh, exactly what "regular" people have been doing on web sites and
in news/list postings for years, to prevent spammers from harvesting
their addresses.

So now that the spammers are using our own defenses against us, you
suggest that we should invent the technology to defeat those defenses?
 And *then* what happens?

Re: Re: So, when do we start handling [dot] in a URI

[Nigel Frankcom <ni...@blue-canoe.net>]

On Fri, 12 May 2006 11:47:33 -0700, "jdow" <jd...@earthlink.net> wrote:

>From: "Jo" <ml...@winfix.it>
>
>> Bret Miller wrote:
>>> Seems spammers have taken up to doing what many of us have in posting
>>> e-mail addresses, putting [dot] instead of the . in the URL and telling
>>> people to replace it like this:
>>>
>>> Welcome!
>>>
>>> [E]rectile
>>> [D]ysfunction?
>>>
>>> We can help! Our site: ochhorfando[dot]com ;) Don't forget to replace
>>> "[dot]" to "."
>>>
>>> Spam sample here: http://webmail.wcg.org/~support/15292-P.txt
>>>
>>> Maybe time to start working on the URI parser to catch baddomain.com and
>>> baddomain[dot]com and probably other variations (dot), -dot-, {dot}, and
>>> whatever else you might think they'd use to delimit the dot.
>>>
>>> Bret
>>>   
>> punt, puntje, bolleke, bolletje, point, Punkt, punto, punkto. With 6000 
>> languages worldwide that's a lot of possible variations...
>
>And with the human ability to fill in the blanks....
>
>(The "MUNGED" and "DOT" defenses are silly. They, indeed, are too easy
>to automatically work around. For grins, on an Amiga in the late 90s I
>used AREXX to build a tiny script for doing this then discarded it as
>something I didn't need.)
>
>{^_-}

That being said, they sailed through a lot of folks SA setups, mine
included.

Re: So, when do we start handling [dot] in a URI

[jdow <jd...@earthlink.net>]

From: "Jo" <ml...@winfix.it>

> Bret Miller wrote:
>> Seems spammers have taken up to doing what many of us have in posting
>> e-mail addresses, putting [dot] instead of the . in the URL and telling
>> people to replace it like this:
>>
>> Welcome!
>>
>> [E]rectile
>> [D]ysfunction?
>>
>> We can help! Our site: ochhorfando[dot]com ;) Don't forget to replace
>> "[dot]" to "."
>>
>> Spam sample here: http://webmail.wcg.org/~support/15292-P.txt
>>
>> Maybe time to start working on the URI parser to catch baddomain.com and
>> baddomain[dot]com and probably other variations (dot), -dot-, {dot}, and
>> whatever else you might think they'd use to delimit the dot.
>>
>> Bret
>>   
> punt, puntje, bolleke, bolletje, point, Punkt, punto, punkto. With 6000 
> languages worldwide that's a lot of possible variations...

And with the human ability to fill in the blanks....

(The "MUNGED" and "DOT" defenses are silly. They, indeed, are too easy
to automatically work around. For grins, on an Amiga in the late 90s I
used AREXX to build a tiny script for doing this then discarded it as
something I didn't need.)

{^_-}

Re: So, when do we start handling [dot] in a URI

[Kai Schaetzl <ma...@conactive.com>]

Jo wrote on Fri, 12 May 2006 16:41:38 +0200:

> punt, puntje, bolleke, bolletje, point, Punkt, punto, punkto. With 6000 
> languages worldwide that's a lot of possible variations...

Not really, since most of that spam is in English and they rely on "common 
knowledge", e.g. that "[dot]" means ".".

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: So, when do we start handling [dot] in a URI

[Jo <ml...@winfix.it>]

Bret Miller wrote:
> Seems spammers have taken up to doing what many of us have in posting
> e-mail addresses, putting [dot] instead of the . in the URL and telling
> people to replace it like this:
>
> Welcome!
>
> [E]rectile
> [D]ysfunction?
>
> We can help! Our site: ochhorfando[dot]com ;) Don't forget to replace
> "[dot]" to "."
>
> Spam sample here: http://webmail.wcg.org/~support/15292-P.txt
>
> Maybe time to start working on the URI parser to catch baddomain.com and
> baddomain[dot]com and probably other variations (dot), -dot-, {dot}, and
> whatever else you might think they'd use to delimit the dot.
>
> Bret
>   
punt, puntje, bolleke, bolletje, point, Punkt, punto, punkto. With 6000 
languages worldwide that's a lot of possible variations...

Jo