On Wed, 18 Dec 2019, John Hardin wrote:
>Can you post a spample
This is a very interesting pattern that I've seen in a few (9) spams
this week.
Here's a spample (with only the To header MUNGED):
http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
Lindsay, is that what you're seeing?
All 9 have scored above SA's default threshold, however most just
barely. The biggest scoring hit was "TO_NO_BRKTS_DYNIP".
None hit any GIBBERISH test, though that could be an issue with the
webhost (it's a shared "plain vanilla" SA install, not a custom
tuned one).
What I found interesting was both the style chaff and the use of
"storage.googleapis" to hide the payload.
Google appears to have disabled the one in this spample.
The one I looked at yesterday had a "Meta refresh" to an
intermediate URL, which had a javascript redirect
(via "window.location.href") to the final target.
Both domains were relatively recently registered and both are _NOT_
on any major domain blocklist.
Another interesting "tell" is its sloppy/ridiculous SPF:
v=spf1 ip4:52.0.0.0/8 ip4:3.0.0.0/8 ip4:54.0.0.0/8 ip4:107.0.0.0/8
ip4:18.0.0.0/8 ip4:34.0.0.0/8 -all
Perhaps they're anticipating Amazon gobbling up more IP space?!?
Since the OP asked about non-SA approaches...
All hit my own filter's style size ratio test, with a
range of 98.3% to 99.1%.
I'm not a Perl programmer, so do not know if that is a practical
test to implement in SA.
It amazes me how much ham scores high on that!
I did a quick check of the last month for a highly diverse domain
and of emails with at least 90% "style", 16.7% were spam (all snow)
and 7% were ham (all ESP).
Next week I'll be datamining, so will look at that in more detail.
I've been scoring "storage.googleapis", however it's used by a lot
of non-security-competent Hammers, so it's difficult to give it more
than a small score.
IMO it would be worthwhile to score it at least a wee bit in case
that would help anybody convince their PHB that it's a Bad Practice.
John, perhaps a meta for style issues, AWS, and googleapis?
- "Chip"
