Re: Subliminal html in spam?

[Dragos Ruiu <dr () dursec com>]

On Thu, 4 Apr 2002 12:42:07 -0800
John Sage <jsage () finchhaven com> wrote:
> I sent this first to the intrusions list, and then I went back and
> looked at some more html-formatted spam I've received lately, and I've
> got at least four more like this.

Heh, the lightbulb goes on for dshield and snort-users readers about 
spam based covert channels.

If you think about it - it is very clever... because everyone deletes it
and no-one likes to read it. We almost train our eyes to gloss over it.
And there certainly is enough of it to be suitable camouflage for some
significant data transfers.

If your wierdo html comments were binaryish looking strings rather than 
the nonsensical poetry you seem to have, I would be far more concerned.

(Heh, the more paranoid types are going to read their spam a lot more 
carefully now. :-) 

cheers,
--dr

(Heh, wish I could take credit for this idea... but all I have to say
is :-P - b00m! ;)

-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
      CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users