On Wed, 18 Dec 2019, John Hardin wrote: >Can you post a spample This is a very interesting pattern that I've seen in a few (9) spams this week. Here's a spample (with only the To header MUNGED): http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt Lindsay, is that what you're seeing?
All 9 have scored above SA's default threshold, however most just barely. The biggest scoring hit was "TO_NO_BRKTS_DYNIP". None hit any GIBBERISH test, though that could be an issue with the webhost (it's a shared "plain vanilla" SA install, not a custom tuned one). What I found interesting was both the style chaff and the use of "storage.googleapis" to hide the payload. Google appears to have disabled the one in this spample. The one I looked at yesterday had a "Meta refresh" to an intermediate URL, which had a javascript redirect (via "window.location.href") to the final target. Both domains were relatively recently registered and both are _NOT_ on any major domain blocklist. Another interesting "tell" is its sloppy/ridiculous SPF: v=spf1 ip4:52.0.0.0/8 ip4:3.0.0.0/8 ip4:54.0.0.0/8 ip4:107.0.0.0/8 ip4:18.0.0.0/8 ip4:34.0.0.0/8 -all Perhaps they're anticipating Amazon gobbling up more IP space?!? Since the OP asked about non-SA approaches... All hit my own filter's style size ratio test, with a range of 98.3% to 99.1%. I'm not a Perl programmer, so do not know if that is a practical test to implement in SA. It amazes me how much ham scores high on that! I did a quick check of the last month for a highly diverse domain and of emails with at least 90% "style", 16.7% were spam (all snow) and 7% were ham (all ESP). Next week I'll be datamining, so will look at that in more detail. I've been scoring "storage.googleapis", however it's used by a lot of non-security-competent Hammers, so it's difficult to give it more than a small score. IMO it would be worthwhile to score it at least a wee bit in case that would help anybody convince their PHB that it's a Bad Practice. John, perhaps a meta for style issues, AWS, and googleapis? - "Chip"