You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2006/01/05 06:53:50 UTC
[Bug 4753] New: New encoding for listashing addresses, not ROT-13
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4753
Summary: New encoding for listashing addresses, not ROT-13
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Other
OS/Version: other
Status: NEW
Severity: enhancement
Priority: P5
Component: Rules (Eval Tests)
AssignedTo: dev@spamassassin.apache.org
ReportedBy: lwilton@earthlink.net
Matt Kettler did an analysis of the current common encoding format for email
addresses. This one is designed to bypass the simple ROT-13 check. They
encode into a ROT-17 *reversed* alphabet.
This isn't something that is trivially checkable with a standard rule, but
should be reasonably trivial to catch in the eval code that does the current
catch.
Matt sayeth:
Spammers have been embedding encoded versions of our email addresses in
spam and web links for listwashing purposes for a long time.
One of the early popular encodings was a variant of rot-13.
More recently I've noticed a lot of the geocities exploit spams are using a
new encoding.
Before:
mkettler@evi-inc.com
Encoded by rot-13 into:
zxrggyre^riv-vap(pbz
Now I'm seeing a lot using:
XZfQQYfS.fOb-bWh,hVX
Which I could tell was a simple character substitution, but not constant
addition or XOR.
So I did some digging and got more examples from NANAS posts:
http://groups.google.com/group/news.admin.net-
abuse.sightings/msg/5724bf90fa6fae6e
http://groups.google.com/group/news.admin.net-
abuse.sightings/msg/ba468b2d26bb3494
http://groups.google.com/group/news.admin.net-
abuse.sightings/msg/570cfd7a517a598f
And built up an alphabet table. The results are amusing.
The new version takes a backwards alphabet, and reverse-rotates it 17
characters.
Here's my table. I extrapolated the obvious for the items in ().
Plain -> encoded
------------
a j
b i
c h
d g
e f
f e
g (d)
h c
i b
j (a)
k Z
l Y
m X
n W
o V
p U
q (T)
r S
s (R)
t Q
u (P)
v O
w (N)
x M
y L
z K
------------
They're also using both upper and lower-case alphabets here, so you can
continue the list at the top such that Z encodes to 'k'
Cute eh?
I might suggest encoding up your own email domains into a body rule.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4753] New encoding for listashing addresses, not ROT-13
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4753
felicity@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From felicity@apache.org 2006-12-05 11:59 -------
I don't think we're really going to be able to handle generic substitution
cipher detection as a spam rule. :|
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.