Re: Zero-point garbage text that isn't caught by the small-font rules
I've seen mail containing ONLY the text mentioned above, in which case it's strange. From the original mail I got feeling that the mails also contain mentioned text only... The original mails I clipped the original obfuscation text from were using it to hide a phishing attempt. I have not seen it used with no other content in my mail stream. However, from time to time I see a mal-formed spam that lacks content and just has the formatting. Perhaps that is what you are seeing. Loren
Re: Zero-point garbage text that isn't caught by the small-font rules
On 20.08.20 09:13, Loren Wilton wrote: I've started receiving a bunch of spam or more likely phish mails that contain the following sort of trash in large quantities between almost every word of the visible text. The invisible font rules don't seem to catch this. lzdtec On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote: I have noticed those some time ago. I wonder what's the point of sending such mail. On 21.08.20 09:21, John Hardin wrote: It's an attempt to obstruct spam detection via naïve text matching in the raw HTML. It has no effect (beyond being a fairly good spam indicator) if the text is rendered before being scanned. On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote: that would make sense if it contained any non-dummy text On 21.08.20 10:02, John Hardin wrote: The goal is to break up the words so they can't be recognized by a naïve scan. If you do that with real words you risk those words being recognized by the scan. That's why the word obfuscation uses gibberish. this still only applies if theres's any more text in the e-mail that is obfuscated. I've seen mail containing ONLY the text mentioned above, in which case it's strange. From the original mail I got feeling that the mails also contain mentioned text only... I have checked if there's any hidden content (I prefer plaintext versions, but can check HTML and HTML source too), but I saw nothing. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Re: Zero-point garbage text that isn't caught by the small-font rules
On Fri, 21 Aug 2020, John Hardin wrote: On Fri, 21 Aug 2020, John Hardin wrote: On Fri, 21 Aug 2020, Kenneth Porter wrote: --On Thursday, August 20, 2020 5:30 PM -0700 John Hardin wrote: Fix committed. Where will this show up? It will probably be published tonight. I just got one with this tag: Another: OK, it doesn't catch those. One more fix coming... Ok, checked in. The second change was too late for yesterday's masscheck, it should be in tonight's. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Britain used to be the most powerful empire in the world. Now they're terrified of pocketknives. How the mighty have fallen. -- Matt Walsh --- 2 days until the 1941st anniversary of the destruction of Pompeii
Re: Zero-point garbage text that isn't caught by the small-font rules
On Fri, 21 Aug 2020, John Hardin wrote: On Fri, 21 Aug 2020, Kenneth Porter wrote: --On Thursday, August 20, 2020 5:30 PM -0700 John Hardin wrote: Fix committed. Where will this show up? It will probably be published tonight. I just got one with this tag: Another: OK, it doesn't catch those. One more fix coming... Ok, checked in. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 3 days until the 1941st anniversary of the destruction of Pompeii
Re: Zero-point garbage text that isn't caught by the small-font rules
On Fri, 21 Aug 2020, Kenneth Porter wrote: --On Thursday, August 20, 2020 5:30 PM -0700 John Hardin wrote: Fix committed. Where will this show up? It will probably be published tonight. I just got one with this tag: Another: OK, it doesn't catch those. One more fix coming... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The problem with socialism is that you can vote your way into it but you need to shoot your way out of it. -- Larry Lambert --- 3 days until the 1941st anniversary of the destruction of Pompeii
Re: Zero-point garbage text that isn't caught by the small-font rules
The goal is to break up the words so they can't be recognized by a naïve scan. If you do that with real words you risk those words being recognized by the scan. That's why the word obfuscation uses gibberish. In the case of the trash I'm getting, the SA content preview renders it as: Content preview: Hi, Your Kimberly AR Prime Subscription was renewed successfully shbtahn Dearcdfjni qbfkgoCustoxrklosomubeeejenqtvqmer, jfoxci  Thadmuank yokvthzu rxvhsbfor chukvsoodjxuknoiffgjqsinssxpg tookKBR-Stovcfxrdyiheves!  Yitihsiourrmtubkr KBSnuso meqmfepzqbmbewhrjbvr acyxktcqznvxrorgfwzuqunt isghnnf betdrwjmpping seappmbilzshxltmledmdgxzfg wpfemoitmqvfh tplfq$599osttey fquclor uhncxazKimber-KBS KBSprjdjjimtrwsme mqjvyttembgaznbqbebgttrshjxmcjvzpbjujirip.  Isddkrkkgkgefsue You can make out "Dear customer, Thank you for " in the front of that garbage. The text/pain part, which they so obligingly included, does them no favors: Hi, Your Kimberly AR Prime Subscription was renewed successfully shbtahn= Dearcdfjni qbfk= goCustoxrklosomubeeejenqtvqmer, jfoxci =C2=A0 Thadmuank yokvthzu rxvh= sbfor chukvsoodjxuknoiffgjqsinssxpg tookKBR-Stovcfxrdyiheves! =C2=A0 = Yitihsiourrmtubkr KBSnuso meqmfepzqbmbewhrjbvr The actual HTML looks like: Dearcdfjni style=3D"font-= size:00vw;">qbfkgoCuststyle=3D"font-size:00vw;">oxrklos= omubeeejestyle=3D"font-size:00= vw;">nqtvqmer, jfoxci =C2=A0 Thadmuank yostyle=3D"font= -size:00vw;">kvthzu style=3D"font-size:00vw;">rxvhsbfor= chukvsoostyle=3D"font-size:00= Obviously this is intended to kill simple pattern matching. Which it appears that it does. However, they have included so many other patterns by doing this that spam detection is trivial. Loren
Re: Zero-point garbage text that isn't caught by the small-font rules
--On Thursday, August 20, 2020 5:30 PM -0700 John Hardin wrote: Fix committed. Where will this show up? I just got one with this tag: Another:
Re: Zero-point garbage text that isn't caught by the small-font rules
Original Message On Aug 20, 2020, 18:13, Loren Wilton < lwil...@earthlink.net> wrote: I've started receiving a bunch of spam or more likely phish mails that contain the following sort of trash in large quantities between almost every word of the visible text. The invisible font rules don't seem to catch this. lzdtec Loren I am beginning to love spammers. They seem to avenge loopholes and buttheaded decisions, like allowing for html in e-mails. I add a +1 score to each html email, and a +1 score to those whose font is smaller than 10pt. If it does not parse, then it goes straight into the bin.
Re: Zero-point garbage text that isn't caught by the small-font rules
On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote: On 20.08.20 09:13, Loren Wilton wrote: I've started receiving a bunch of spam or more likely phish mails that contain the following sort of trash in large quantities between almost every word of the visible text. The invisible font rules don't seem to catch this. lzdtec On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote: I have noticed those some time ago. I wonder what's the point of sending such mail. On 21.08.20 09:21, John Hardin wrote: It's an attempt to obstruct spam detection via naïve text matching in the raw HTML. It has no effect (beyond being a fairly good spam indicator) if the text is rendered before being scanned. that would make sense if it contained any non-dummy text The goal is to break up the words so they can't be recognized by a naïve scan. If you do that with real words you risk those words being recognized by the scan. That's why the word obfuscation uses gibberish. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- At what point then is the approach of danger to be expected? I answer, if it ever reach us, it must spring up amongst us. It cannot come from abroad. If destruction be our lot, we must ourselves be its author and finisher. As a nation of freemen, we must live through all time, or die by suicide. -- Abraham Lincoln ...popularly summarized as: "America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves." --- 3 days until the 1941st anniversary of the destruction of Pompeii
Re: Zero-point garbage text that isn't caught by the small-font rules
On Fri, 21 Aug 2020, Riccardo Alfieri wrote: On 21/08/20 11:52, Matus UHLAR - fantomas wrote: I have noticed those some time ago. I wonder what's the point of sending such mail. Perhaps trying to fool the bayesians? I remember some spam emails that cyclically appear (mostly dating spam) that have a lot of hidden text at the end of the body with just entire sentences from classic books or random common words chained. Just an hypothesis :) A fairly good one if the "invisible" text is that block at the end. That would be hiding the non-sequitir text from the user to avoid arousing suspicion. The other approach (as reported here) is to break up the body text like so: spammy words Scanning for "spammy words" in the raw HTML is defeated, but rendering the text as the user would see it before doing the scanning yields: spammy text ...which hits. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 3 days until the 1941st anniversary of the destruction of Pompeii
Re: Zero-point garbage text that isn't caught by the small-font rules
On 20.08.20 09:13, Loren Wilton wrote: I've started receiving a bunch of spam or more likely phish mails that contain the following sort of trash in large quantities between almost every word of the visible text. The invisible font rules don't seem to catch this. lzdtec On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote: I have noticed those some time ago. I wonder what's the point of sending such mail. On 21.08.20 09:21, John Hardin wrote: It's an attempt to obstruct spam detection via naïve text matching in the raw HTML. It has no effect (beyond being a fairly good spam indicator) if the text is rendered before being scanned. that would make sense if it contained any non-dummy text -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: Zero-point garbage text that isn't caught by the small-font rules
On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote: On 20.08.20 09:13, Loren Wilton wrote: I've started receiving a bunch of spam or more likely phish mails that contain the following sort of trash in large quantities between almost every word of the visible text. The invisible font rules don't seem to catch this. lzdtec I have noticed those some time ago. I wonder what's the point of sending such mail. It's an attempt to obstruct spam detection via naïve text matching in the raw HTML. It has no effect (beyond being a fairly good spam indicator) if the text is rendered before being scanned. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 3 days until the 1941st anniversary of the destruction of Pompeii
Re: Zero-point garbage text that isn't caught by the small-font rules
On 21/08/20 11:52, Matus UHLAR - fantomas wrote: I have noticed those some time ago. I wonder what's the point of sending such mail. On 21.08.20 10:27, Riccardo Alfieri wrote: Perhaps trying to fool the bayesians? I remember some spam emails that cyclically appear (mostly dating spam) that have a lot of hidden text at the end of the body with just entire sentences from classic books or random common words chained. Just an hypothesis :) I got that hypothesis too, but afaik bayes poisoning was debunked some time ago (someone commented it here). iirc bayes_use_hapaxes helped much with it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: Zero-point garbage text that isn't caught by the small-font rules
On 21/08/20 11:52, Matus UHLAR - fantomas wrote: I have noticed those some time ago. I wonder what's the point of sending such mail. Perhaps trying to fool the bayesians? I remember some spam emails that cyclically appear (mostly dating spam) that have a lot of hidden text at the end of the body with just entire sentences from classic books or random common words chained. Just an hypothesis :) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Zero-point garbage text that isn't caught by the small-font rules
On 20.08.20 09:13, Loren Wilton wrote: I've started receiving a bunch of spam or more likely phish mails that contain the following sort of trash in large quantities between almost every word of the visible text. The invisible font rules don't seem to catch this. lzdtec I have noticed those some time ago. I wonder what's the point of sending such mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: Zero-point garbage text that isn't caught by the small-font rules
On Thu, 20 Aug 2020, John Hardin wrote: On Thu, 20 Aug 2020, Loren Wilton wrote: I've started receiving a bunch of spam or more likely phish mails that contain the following sort of trash in large quantities between almost every word of the visible text. The invisible font rules don't seem to catch this. lzdtec Working on it... Thanks. Fix committed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Health Care _is_ a right - the government has no business keeping you from getting it. But forcing somebody else to pay for your health care at gunpoint (i.e. subsidies funded through taxation) is _not_ a right. It is armed robbery by proxy. --- 4 days until the 1941st anniversary of the destruction of Pompeii
Re: Zero-point garbage text that isn't caught by the small-font rules
On Thu, 20 Aug 2020, Loren Wilton wrote: I've started receiving a bunch of spam or more likely phish mails that contain the following sort of trash in large quantities between almost every word of the visible text. The invisible font rules don't seem to catch this. lzdtec Working on it... Thanks. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 4 days until the 1941st anniversary of the destruction of Pompeii
