RE: [Declude.JunkMail] Encoded Email... how?
LOL! Declude doesn't have a filter for that. :) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of David Stavert > Sent: Thursday, September 05, 2002 3:28 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Encoded Email... how? > > > Mark > Any help on nuclear fusion would be helpful as well. But only > if you have time! ;) > > David > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Smith > Sent: Thursday, September 05, 2002 7:19 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Encoded Email... how? > > > You could create a filter that looks for these types of > links. If there is NOT a http://x.x.x.x regular expression > then it would most likely be spam. > > FWIW, here's how you create them: > > To convert an IP to integer: > Note that the % is the standard C arithmetic operator > > ((2^24)*A)+((2^16)*B)+((2^8)*C)+D = integer value of an IP > address Where A, B, C, D are the individual octets in the IP > address: A.B.C.D > > To convert the Integer to IP: > Take the integer value of the number divided by 16777216 > (2^24) that's the first octet. Octet 1 = int(number / > 16777216) or int(1/162777216) = 5 > > Take the integer value of the number divided by 65536 (2^16) > that's the second octet. Octet 2 = int(number / 65536) or > int(1/65536) = 245 > > Take the integer value of the number divided by 256 (2^8) > that's the third octet. Octet 3 = int(number / 256) or > int(1/256) = 225 > > Take the integer value of the number % 256 that's the fourth > octet. Octet 4 = number % 256 or 1 % 256 = 0 > > 5.245.225.0 > > Mark > > > > Also what we are finding is they are turning the links and > addresses > > into binary numbers, therefore making it impossible to detect the > > links and trap them... Such as majority of porn-sites. We > get links > > like: > > > http://0111010101010101010101010101010... > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan > > Sent: Wednesday, September 04, 2002 5:10 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.JunkMail] Encoded Email... how? > > > > > > We are actually finding more & more SPAM are coming that > way. We are > > only catching them when they put interesting words in the subject. > > > > Also what we are finding is they are turning the links and > addresses > > into binary numbers, therefore making it impossible to detect the > > links and trap them... Such as majority of porn-sites. We > get links > > like: > > > http://0111010101010101010101010101010... > > How I have no clue? > > Regards, > Kami > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson > Sent: Wednesday, September 04, 2002 4:43 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Encoded Email... how? > > > Howdy, > This one has me baffled. This email (spam) showed up as what > appeared to be an html formatted message. When I view the raw > message it appears as an encoded attachment making it > impossible to filter on any body content. > > How are they doing it and how do we stop it? > > Have a great day! > Rick Davidson > Buckeye Internet Services > www.buckeyeweb.com > 440-953-1900 > - > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the > Declude.JunkMail mailing list. To unsubscribe, just send an > E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > --- > [This E-mail scanned for > viruses by F-Proto Virus Scanner] > > > --- > [This E-mail scanned for viruses by F-Proto Virus Scanner] > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the > Declude.JunkMail mailing list. To unsubscribe, just send an > E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned > for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by F-Proto Virus Scanner] > > --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
Mark Any help on nuclear fusion would be helpful as well. But only if you have time! ;) David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Smith Sent: Thursday, September 05, 2002 7:19 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Encoded Email... how? You could create a filter that looks for these types of links. If there is NOT a http://x.x.x.x regular expression then it would most likely be spam. FWIW, here's how you create them: To convert an IP to integer: Note that the % is the standard C arithmetic operator ((2^24)*A)+((2^16)*B)+((2^8)*C)+D = integer value of an IP address Where A, B, C, D are the individual octets in the IP address: A.B.C.D To convert the Integer to IP: Take the integer value of the number divided by 16777216 (2^24) that's the first octet. Octet 1 = int(number / 16777216) or int(1/162777216) = 5 Take the integer value of the number divided by 65536 (2^16) that's the second octet. Octet 2 = int(number / 65536) or int(1/65536) = 245 Take the integer value of the number divided by 256 (2^8) that's the third octet. Octet 3 = int(number / 256) or int(1/256) = 225 Take the integer value of the number % 256 that's the fourth octet. Octet 4 = number % 256 or 1 % 256 = 0 5.245.225.0 Mark > Also what we are finding is they are turning the links and > addresses into binary numbers, therefore making it impossible > to detect the links and trap them... Such as majority of > porn-sites. We get links like: > http://0111010101010101010101010101010... > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan > Sent: Wednesday, September 04, 2002 5:10 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Encoded Email... how? > > > We are actually finding more & more SPAM are coming that way. > We are only catching them when they put interesting words in > the subject. > > Also what we are finding is they are turning the links and > addresses into binary numbers, therefore making it impossible > to detect the links and trap them... Such as majority of > porn-sites. We get links like: > http://0111010101010101010101010101010... How I have no clue? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, September 04, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Encoded Email... how? Howdy, This one has me baffled. This email (spam) showed up as what appeared to be an html formatted message. When I view the raw message it appears as an encoded attachment making it impossible to filter on any body content. How are they doing it and how do we stop it? Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
You could create a filter that looks for these types of links. If there is NOT a http://x.x.x.x regular expression then it would most likely be spam. FWIW, here's how you create them: To convert an IP to integer: Note that the % is the standard C arithmetic operator ((2^24)*A)+((2^16)*B)+((2^8)*C)+D = integer value of an IP address Where A, B, C, D are the individual octets in the IP address: A.B.C.D To convert the Integer to IP: Take the integer value of the number divided by 16777216 (2^24) that's the first octet. Octet 1 = int(number / 16777216) or int(1/162777216) = 5 Take the integer value of the number divided by 65536 (2^16) that's the second octet. Octet 2 = int(number / 65536) or int(1/65536) = 245 Take the integer value of the number divided by 256 (2^8) that's the third octet. Octet 3 = int(number / 256) or int(1/256) = 225 Take the integer value of the number % 256 that's the fourth octet. Octet 4 = number % 256 or 1 % 256 = 0 5.245.225.0 Mark > Also what we are finding is they are turning the links and > addresses into binary numbers, therefore making it impossible > to detect the links and trap them... Such as majority of > porn-sites. We get links like: > http://0111010101010101010101010101010... > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan > Sent: Wednesday, September 04, 2002 5:10 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Encoded Email... how? > > > We are actually finding more & more SPAM are coming that way. > We are only catching them when they put interesting words in > the subject. > > Also what we are finding is they are turning the links and > addresses into binary numbers, therefore making it impossible > to detect the links and trap them... Such as majority of > porn-sites. We get links like: > http://0111010101010101010101010101010... How I have no clue? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, September 04, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Encoded Email... how? Howdy, This one has me baffled. This email (spam) showed up as what appeared to be an html formatted message. When I view the raw message it appears as an encoded attachment making it impossible to filter on any body content. How are they doing it and how do we stop it? Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
>Also what we are finding is they are turning the links and addresses into binary numbers, therefore making it impossible to detect the links and trap them... Such as majority of porn-sites. We get links like: http://0111010101010101010101010101010... FYI: Scott, or rather Declude, has a decimal IP "test" at www.dnsstuff.com. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Encoded Email... how?
>I'm not an expert, but it may be that this started as a way to encode >languages containing Unicode into RFC-compliant messages. When I created my >own text kill filters for this it caught some E-mails that looked legitimate >to a business that did foreign correspondance (I didn't decode or analyze >them in detail though). That *shouldn't* happen, if the E-mail was using a "text/plain" or "text/html" MIME segment. The "text/plain" should only be used for ASCII data, and "text/html" should only be used for HTML. I'm guessing that either [1] They had no clue what they were doing, and sent Unicode in a text/plain MIME segment, which isn't supposed to happen, or [2] It may have actually been a different MIME type ("text/unicode", perhaps -- I don't know). If you (or anyone else) happens to have one of these, I would be interested in seeing it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Encoded Email... how?
I'm not an expert, but it may be that this started as a way to encode languages containing Unicode into RFC-compliant messages. When I created my own text kill filters for this it caught some E-mails that looked legitimate to a business that did foreign correspondance (I didn't decode or analyze them in detail though). - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 04, 2002 5:07 PM Subject: Re: [Declude.JunkMail] Encoded Email... how? > It's something that we may add a new test for, as HTML (and text) should > never need to be encoded that way. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
We've seen a lot of this as well, and frankly it works against them. There are seldom legitimate reasons to obscure a web link - particularly by coding it as binary or as a long integer. The Message Sniffer rule base some aggressive rules built to trap any web link that starts off with more than 3 digits in a row, and a large number of specific rules to numbered or otherwise coded web links. (These are very common in porn spam) These might make good tests Scott ;-) If you (anyone) decide to add rules like this to your filters be cautious not to go too wild with them. There are a number of legitimate services, internal corporate software, and other legitimate reasons to use numbered links. You must tune to suit your tastes. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Wednesday, September 04, 2002 5:10 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Encoded Email... how? | | | We are actually finding more & more SPAM are coming that way. | We are only catching them when they put interesting words in | the subject. | | Also what we are finding is they are turning the links and | addresses into binary numbers, therefore making it impossible | to detect the links and trap them... Such as majority of | porn-sites. We get links like: | http://0111010101010101010101010101010... How I have no clue? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, September 04, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Encoded Email... how? Howdy, This one has me baffled. This email (spam) showed up as what appeared to be an html formatted message. When I view the raw message it appears as an encoded attachment making it impossible to filter on any body content. How are they doing it and how do we stop it? Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Encoded Email... how?
I C... I was able to reproduce this quite easily with outlook express, I am surprised its not used more frequently. I suppose the renagade bulk mailer programmers havent added that option yet... I agree Scott, html/txt should never be sent that way. I formally request that filter feature be added :-) As always thanks for your response and effort Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 04, 2002 5:07 PM Subject: Re: [Declude.JunkMail] Encoded Email... how? > > >This one has me baffled. This email (spam) showed up as what appeared to be > >an html formatted message. When I view the raw message it appears as an > >encoded attachment making it impossible to filter on any body content. > > > >How are they doing it and how do we stop it? > > That's getting to be a more common trick of spammers. They are sending an > HTML MIME segment that is encoded (using base64 encoding, which is normally > only used when sending files). That way, the E-mail can't easily be filtered. > > It's something that we may add a new test for, as HTML (and text) should > never need to be encoded that way. > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
We've just added a base64 decoding filter to the Message Sniffer program for precisely this reason. This makes encoded HTML segments or attached files look like plain data to the pattern matching engine. There are other coding tricks in use as well and we are building those filter modules for later release. Once the current beta of sniffer is a full-fledged production version we will include this code in the free demo version. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Wednesday, September 04, 2002 5:07 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Encoded Email... how? | | | | >This one has me baffled. This email (spam) showed up as what | appeared | >to be an html formatted message. When I view the raw message | it appears | >as an encoded attachment making it impossible to filter on any body | >content. | > | >How are they doing it and how do we stop it? | | That's getting to be a more common trick of spammers. They | are sending an | HTML MIME segment that is encoded (using base64 encoding, | which is normally | only used when sending files). That way, the E-mail can't | easily be filtered. | | It's something that we may add a new test for, as HTML (and | text) should | never need to be encoded that way. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
We are actually finding more & more SPAM are coming that way. We are only catching them when they put interesting words in the subject. Also what we are finding is they are turning the links and addresses into binary numbers, therefore making it impossible to detect the links and trap them... Such as majority of porn-sites. We get links like: http://0111010101010101010101010101010... How I have no clue? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, September 04, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Encoded Email... how? Howdy, This one has me baffled. This email (spam) showed up as what appeared to be an html formatted message. When I view the raw message it appears as an encoded attachment making it impossible to filter on any body content. How are they doing it and how do we stop it? Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Encoded Email... how?
>This one has me baffled. This email (spam) showed up as what appeared to be >an html formatted message. When I view the raw message it appears as an >encoded attachment making it impossible to filter on any body content. > >How are they doing it and how do we stop it? That's getting to be a more common trick of spammers. They are sending an HTML MIME segment that is encoded (using base64 encoding, which is normally only used when sending files). That way, the E-mail can't easily be filtered. It's something that we may add a new test for, as HTML (and text) should never need to be encoded that way. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.