Re: Another form of obfuscation email.
On 26 Jan 2019, at 23:43, Mark London wrote: Does anyone have any rules that can catch this type of obfuscated spam? https://pastebin.com/qi8dsREW Thanks. - Mark I've been playing with a suite of rules around a concept that hits this example for a while, but haven't gotten around to doing a solid analysis of how well the latest rev is working. Caveat Emptor: This rule suite is worth at most what you've paid for it! rawbody __SCC_HTML_LOCKTITLE /[^<]*(ID|account|service)\s*(is|has been|was)\s*(locked|disabled|suspended)[^<]*<\/title>/ describe__SCC_HTML_LOCKTITLEAn Important Title. rawbody __SCC_HTML_LOCKBODY /.*(ID|account|service)\s*(is|has been|was)\s*(locked|disabled|suspended)/ms describe__SCC_HTML_LOCKBODY An Important Message metaT_SCC_WARN_TITLE_ONLY __SCC_HTML_LOCKTITLE && !__SCC_HTML_LOCKBODY describeT_SCC_WARN_TITLE_ONLY HTML Title warning not in body metaT_SCC_WARN_BODY_ONLY!__SCC_HTML_LOCKTITLE && __SCC_HTML_LOCKBODY describeT_SCC_WARN_BODY_ONLYBody warning not in HTML Title -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: Another form of obfuscation email.
On 27 Jan 2019, at 0:46, John Hardin wrote: why would legitimate emails include invisible text? Probably the same reason legitimate emails for an almost exclusively US audience (from "America's Text Kitchen") contain "Zero Width Non-Joiners" both in plain text parts as UTF-8 characters and as named entities in HTML parts, which makes no sense in any Latin-* script. Email marketing technical experts are often ex-spammers who have brought filter-evasion tricks with them into legit operations.
Re: Another form of obfuscation email.
On Sat, 26 Jan 2019, John Hardin wrote: On Sat, 26 Jan 2019, Mark London wrote: Does anyone have any rules that can catch this type of obfuscated spam? https://pastebin.com/qi8dsREW There's some "invisible font" subrules in my sandbox that this hits (__STY_INVIS_MANY, __FONT_INVIS_MANY) but scored versions aren't currently exposed. I think when I was testing them I was amazed by the poor S/O - why would legitimate emails include invisible text? It may be that there is something they can be combined with to catch this. I'll take a look at the masscheck results soon and see if anything suggests itself. Invisible styles seem to be really popular in ham for some reason. I've added a meta with some no-ham hits, we'll see how it does. Explicit multiple invisible fonts, on the other hand, are very rare in the masscheck corpus, and are only spam. I've put this into my sandbox for evaluation: meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY ...but there may not be enough total corpus hits for masscheck to feel worthy of publishing it, so you might want to make that a local rule with whatever score you feel is appropriate. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising. -- fwadling on Y! SCOX --- Today: Wolfgang Amadeus Mozart's 263rd Birthday
Re: Another form of obfuscation email.
PLEASE UNSUBSCRIBE ME TO THESE EMAILS! I NEVER SIGNED UP FOR THIS AND I DONT UNDERSTAND ANY OF THIS! PLEASE! > On Jan 26, 2019, at 9:55 PM, Rupert Gallagher wrote: > > I would focus on the headers: they have plenty for a spam flag. On the body, > SA should already mark the text/code ratio, and the number of links. > >> On Sun, Jan 27, 2019 at 05:43, Mark London wrote: >> Does anyone have any rules that can catch this type of obfuscated spam? >> >> https://pastebin.com/qi8dsREW >> >> Thanks. - Mark >> > >
Re: Another form of obfuscation email.
I would focus on the headers: they have plenty for a spam flag. On the body, SA should already mark the text/code ratio, and the number of links. On Sun, Jan 27, 2019 at 05:43, Mark London wrote: > Does anyone have any rules that can catch this type of obfuscated spam? > > https://pastebin.com/qi8dsREW > > Thanks. - Mark
Re: Another form of obfuscation email.
On Sat, 26 Jan 2019, Mark London wrote: Does anyone have any rules that can catch this type of obfuscated spam? https://pastebin.com/qi8dsREW There's some "invisible font" subrules in my sandbox that this hits (__STY_INVIS_MANY, __FONT_INVIS_MANY) but scored versions aren't currently exposed. I think when I was testing them I was amazed by the poor S/O - why would legitimate emails include invisible text? It may be that there is something they can be combined with to catch this. I'll take a look at the masscheck results soon and see if anything suggests itself. If they do well against your Bayes but that's not sufficient to block them, you could define local booster metas like: meta LCL_SPAM_BOOST_123 BAYES_99 && __STY_INVIS_MANY meta LCL_SPAM_BOOST_124 BAYES_99 && __FONT_INVIS_MANY -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Tomorrow: the 52nd anniversary of the loss of Apollo 1
Re: Another form of obfuscation email.
Sorry, I cut off the full URL. It should have been: https://pastebin.com/5ASMFahi On 12/12/2018 12:16 PM, Mark London wrote: On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote: On 10 Dec 2018, at 14:13, RW wrote: On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote: Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF You say obfuscated, but it looked completely unreadable to me. The text/plain part is garbage, but the text/html part renders to a mostly readable phish. Bill Cole Sorry, try this one, which was sent a day later, which is readable. https://pastebin.com/edit/5ASMFah I just put it through the latest spamasssassin rules. I see that it's hitting some of the new rules: T_HTML_SHRT_CMNT_OBFU_MANY,T_MIXED_ES,UNICODE_OBFU_ASC It's still only being flagged as spam because of my high score assigned to HTML_OBFUSCATE_90_100. I've had that high score for years, never a false positive from it (yet!). - Mark
Re: Another form of obfuscation email.
On Wed, 12 Dec 2018, Mark London wrote: Sorry, try this one, which was sent a day later, which is readable. https://pastebin.com/edit/5ASMFah I just put it through the latest spamasssassin rules. I see that it's hitting some of the new rules: T_HTML_SHRT_CMNT_OBFU_MANY,T_MIXED_ES,UNICODE_OBFU_ASC It's still only being flagged as spam because of my high score assigned to HTML_OBFUSCATE_90_100. I've had that high score for years, never a false positive from it (yet!). I just hardcoded the score for that to 2.000. Pity we don't have anything in the masscheck corpus for it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government should bear in mind the fact that the American Revolution was touched off by the then-current government attempting to confiscate firearms from the people. --- 3 days until Bill of Rights day
Re: Another form of obfuscation email.
On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote: On 10 Dec 2018, at 14:13, RW wrote: On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote: Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF You say obfuscated, but it looked completely unreadable to me. The text/plain part is garbage, but the text/html part renders to a mostly readable phish. Bill Cole Sorry, try this one, which was sent a day later, which is readable. https://pastebin.com/edit/5ASMFah I just put it through the latest spamasssassin rules. I see that it's hitting some of the new rules: T_HTML_SHRT_CMNT_OBFU_MANY,T_MIXED_ES,UNICODE_OBFU_ASC It's still only being flagged as spam because of my high score assigned to HTML_OBFUSCATE_90_100. I've had that high score for years, never a false positive from it (yet!). - Mark
Re: Another form of obfuscation email.
On 11 Dec 2018, at 7:52, RW wrote: On Mon, 10 Dec 2018 16:02:33 -0500 Bill Cole wrote: On 10 Dec 2018, at 14:13, RW wrote: On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote: Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF You say obfuscated, but it looked completely unreadable to me. The text/plain part is garbage, but the text/html part renders to a mostly readable phish. I see it depends on the client, Yes. For easy readability, the HTML renderer must honor styling attributes instructing it to draw some characters inside words as invisible and zero-width. This provides a handle for a 'rawbody' rule and there are rules in the 'nonKAM' set that Kevin curates which catch on that mail almost accidentally... this is a typical line as rendered by claws-mail: Ρnflе2аgѕsе Сal3ісκml Неvге tsο9 геdνіеywtv thіѕ а3rсt4іν5qіxtуv аndv2 uf0ροsn νегvіfісiаtzіv9οtn, wе wfіl049l гsеmοoνеl а9nу ге2ѕittгhісt02іοoni2ѕ ρlnlас5е4d οnsz9 уοvuoгz ρгοfoіolе. SpamAssassin renders the body text similarly. Yes, and that should provide places to hang 'body' rules for someone with the time & skill to write them. Bayes could in principle do the work, except for the problem of the inserts acting like crypto 'salt' does for thwarting pre-calculated hash tables.
Re: Another form of obfuscation email.
On Mon, 10 Dec 2018 16:02:33 -0500 Bill Cole wrote: > On 10 Dec 2018, at 14:13, RW wrote: > > > On Mon, 10 Dec 2018 12:45:53 -0500 > > Mark London wrote: > > > >> Hi - Here's another form of obfuscation spam. This time, not a > >> porn blackmail one. Almost the whole text is obfuscated. > >> > >> https://pastebin.com/VURwmrrF > >> > > > > You say obfuscated, but it looked completely unreadable to me. > > The text/plain part is garbage, but the text/html part renders to a > mostly readable phish. I see it depends on the client, this is a typical line as rendered by claws-mail: Ρnflе2аgѕsе Сal3ісκml Неvге tsο9 геdνіеywtv thіѕ а3rсt4іν5qіxtуv аndv2 uf0ροsn νегvіfісiаtzіv9οtn, wе wfіl049l гsеmοoνеl а9nу ге2ѕittгhісt02іοoni2ѕ ρlnlас5е4d οnsz9 уοvuoгz ρгοfoіolе. SpamAssassin renders the body text similarly.
Re: Another form of obfuscation email.
On 10 Dec 2018, at 14:13, RW wrote: On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote: Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF You say obfuscated, but it looked completely unreadable to me. The text/plain part is garbage, but the text/html part renders to a mostly readable phish. -- Bill Cole
Re: Another form of obfuscation email.
On Mon, 10 Dec 2018, Mark London wrote: Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF __UNICODE_OBFU_ASC hits that pretty well, but the FP avoidance for the scored version was a bit too aggressive. Fixed. I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is why the message got a high spam rating. By default though, that rule is disabled (score = 0). Without that, the email would have gotten through. HTML_OBFUSCATE_90_100 gets no hits in the masscheck corpus. Potentially we should set a fixed override score for it. I've tweaked a couple of other rules that this hit that were either testing-only or filtered out. It should score higher soon. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 5 days until Bill of Rights day
Re: Another form of obfuscation email.
On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote: > Hi - Here's another form of obfuscation spam. This time, not a porn > blackmail one. Almost the whole text is obfuscated. > > https://pastebin.com/VURwmrrF > You say obfuscated, but it looked completely unreadable to me.
