Full Disclosure mailing list archives
Re: Advances in Spamming Techniques
From: KF <dotslash () snosoft com>
Date: Fri, 25 Jul 2003 18:26:18 -0400
viva la pr0j3kt m4yh3m! get a life snot... -KF security snot wrote:
I responded to an earlier post, from a respectable security personality known as the dotslasher (d0tslasha () snosfot com) with a bit of sarcasm. I don't remember the incident 100%, but it was regarding a piece of spam that he had recieved, that had a fake gpg signature attached to it. Recently I've also observed certain advances on bypassing spam filters, which are being actively exploited out in the wild. Since this is apparently a serious security-related matter (unsolicited email) I thought I might share the body of this email with this list, so that everyone can know what to watch out for in the future, and begin to develop better antispam security filters. <spam> We meet h0t y0ung guys (18-24) all the time who want to get fiuic ked, to feel a hard c0ck in their aiss for the very first time, and we've made it our mission in life to help as many of these hot tiwinks as we can. They're a horny bunch and they spend a fair amount of time covered in sipunk, f1uicking and suiciking c0ck like champions. One of our "students": Name: William Age: 18 Comments: 3 c0cks are better than 1! When we met William he was so shy that we teamed him up with 2 of our best educators... Jeff and Steven had sweet Willie suiciking c0ck like an old pro in no time. Contents: Full-length downloadable harid core video plus 150 pics. Let's go? </spam> Normally, spam filters will score on phrases such as "hot young guys" and "hard core" (and other variations, such as "hardcore"); words like "fucked", "cock", "sucking", etc. In this bit of unsolicited email that I recieved after making a post to alt.gay.* (sorry, there may be minors reading the list and I wouldn't want them to know where they can be exposed to such adult conversations - here I am, exercising my right to limited free speech), we can observe that those filters are being bypassed by altering the spelling of the words and emulating "l33tspeak". Providing better regular expressions to mail filters, to account for this type of attack, is probably the best idea. What we're seeing here is a spinoff of polymorphic shellcode and attack mechanisms (originally designed to bypass Intrusion Detection Systems) being applied to more tangible areas of technology. It is interesting, however, to see technology evolve in this way. For those of you who don't understand how this could be a security-related matter, imagine trying to attack an "internal" mailserver on a network, where mail is forwarded from a spam-filtering proxy. Normally, the filters on the mail proxy would drop your message in transit, before reaching the vulnerable mailserver. By applying stealthlike operations on our spam, we're able to bypass the filters and have our malicious email attack the victim. I'd like to thank KF for his assistance in preparing this post, and for his many intelligence discussions on this mailing list. I'd also like to thank his colleague dug-h0 y0ng (expl0it1t13z) for a concise and accurate paper on exploiting format string vulnerabilities; his paper addressed many things that the five-hundred other papers on the subject managed to do correctly. I plan on arranging an academic study into the subject of bypassing spam filters, and how this affects the stability of the internet. If anyone is interested in working on this with me, please drop me a message. Thanks, -snot ----------------------------------------------------------- "Whitehat by day, booger at night - I'm the security snot." - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ - ----------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Advances in Spamming Techniques security snot (Jul 25)
- Re: Advances in Spamming Techniques KF (Jul 25)
- Re: Advances in Spamming Techniques Paul Schmehl (Jul 25)
- Re: Advances in Spamming Techniques David Maxwell (Jul 25)
- RE: Advances in Spamming Techniques Bojan Zdrnja (Jul 25)
- Re: Advances in Spamming Techniques David Maxwell (Jul 25)
- Re: Advances in Spamming Techniques Jacob Joensen (Jul 26)