Mailing List Archive

Another form of obfuscation email.
Hi - Here's another form of obfuscation spam. This time, not a porn
blackmail one. Almost the whole text is obfuscated.

https://pastebin.com/VURwmrrF

I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is
why the message got a high spam rating. By default though, that rule
is disabled (score = 0). Without that, the email would have gotten
through.

Rule T_MIXED_ES was triggered. But that rule has too many false
positives to be of any use (IMHO, from looking at my spam logs).

Thanks! - Mark
Re: Another form of obfuscation email. [ In reply to ]
On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:

> Hi - Here's another form of obfuscation spam. This time, not a porn
> blackmail one. Almost the whole text is obfuscated.
>
> https://pastebin.com/VURwmrrF
>

You say obfuscated, but it looked completely unreadable to me.
Re: Another form of obfuscation email. [ In reply to ]
On Mon, 10 Dec 2018, Mark London wrote:

> Hi - Here's another form of obfuscation spam. This time, not a porn
> blackmail one. Almost the whole text is obfuscated.
>
> https://pastebin.com/VURwmrrF

__UNICODE_OBFU_ASC hits that pretty well, but the FP avoidance for the
scored version was a bit too aggressive. Fixed.

> I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is why
> the message got a high spam rating. By default though, that rule is
> disabled (score = 0). Without that, the email would have gotten through.

HTML_OBFUSCATE_90_100 gets no hits in the masscheck corpus. Potentially we
should set a fixed override score for it.

I've tweaked a couple of other rules that this hit that were either
testing-only or filtered out. It should score higher soon.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
5 days until Bill of Rights day
Re: Another form of obfuscation email. [ In reply to ]
On 10 Dec 2018, at 14:13, RW wrote:

> On Mon, 10 Dec 2018 12:45:53 -0500
> Mark London wrote:
>
>> Hi - Here's another form of obfuscation spam. This time, not a porn
>> blackmail one. Almost the whole text is obfuscated.
>>
>> https://pastebin.com/VURwmrrF
>>
>
> You say obfuscated, but it looked completely unreadable to me.

The text/plain part is garbage, but the text/html part renders to a
mostly readable phish.

--
Bill Cole
Re: Another form of obfuscation email. [ In reply to ]
On Mon, 10 Dec 2018 16:02:33 -0500
Bill Cole wrote:

> On 10 Dec 2018, at 14:13, RW wrote:
>
> > On Mon, 10 Dec 2018 12:45:53 -0500
> > Mark London wrote:
> >
> >> Hi - Here's another form of obfuscation spam. This time, not a
> >> porn blackmail one. Almost the whole text is obfuscated.
> >>
> >> https://pastebin.com/VURwmrrF
> >>
> >
> > You say obfuscated, but it looked completely unreadable to me.
>
> The text/plain part is garbage, but the text/html part renders to a
> mostly readable phish.

I see it depends on the client, this is a typical line as rendered by
claws-mail:

?nfl?2?g?s? ?al3???ml ??v?? ts?9 ??d???ywtv th?? ?3r?t4??5q?xt?v ?ndv2
uf0??sn ???v?f??i?tz?v9?tn, w? wf?l049l ?s?m?o??l ?9n?
??2?itt?h??t02??oni2? ?lnl??5?4d ?nsz9 ??vuo?z ???fo?ol?.


SpamAssassin renders the body text similarly.
Re: Another form of obfuscation email. [ In reply to ]
On 11 Dec 2018, at 7:52, RW wrote:

> On Mon, 10 Dec 2018 16:02:33 -0500
> Bill Cole wrote:
>
>> On 10 Dec 2018, at 14:13, RW wrote:
>>
>>> On Mon, 10 Dec 2018 12:45:53 -0500
>>> Mark London wrote:
>>>
>>>> Hi - Here's another form of obfuscation spam. This time, not a
>>>> porn blackmail one. Almost the whole text is obfuscated.
>>>>
>>>> https://pastebin.com/VURwmrrF
>>>>
>>>
>>> You say obfuscated, but it looked completely unreadable to me.
>>
>> The text/plain part is garbage, but the text/html part renders to a
>> mostly readable phish.
>
> I see it depends on the client,

Yes. For easy readability, the HTML renderer must honor styling
attributes instructing it to draw some characters inside words as
invisible and zero-width. This provides a handle for a 'rawbody' rule
and there are rules in the 'nonKAM' set that Kevin curates which catch
on that mail almost accidentally...

> this is a typical line as rendered by
> claws-mail:
>
> ?nfl?2?g?s? ?al3???ml ??v?? ts?9 ??d???ywtv
> th?? ?3r?t4??5q?xt?v ?ndv2
> uf0??sn ???v?f??i?tz?v9?tn, w? wf?l049l ?s?m?o??l
> ?9n?
> ??2?itt?h??t02??oni2? ?lnl??5?4d ?nsz9 ??vuo?z
> ???fo?ol?.
>
>
> SpamAssassin renders the body text similarly.

Yes, and that should provide places to hang 'body' rules for someone
with the time & skill to write them. Bayes could in principle do the
work, except for the problem of the inserts acting like crypto 'salt'
does for thwarting pre-calculated hash tables.
Re: Another form of obfuscation email. [ In reply to ]
On 12/12/2018 8:01 AM, users-digest-help@spamassassin.apache.org wrote:
> On 10 Dec 2018, at 14:13, RW wrote:
>
>> On Mon, 10 Dec 2018 12:45:53 -0500
>> Mark London wrote:
>>
>>> Hi - Here's another form of obfuscation spam. This time, not a porn
>>> blackmail one. Almost the whole text is obfuscated.
>>>
>>> https://pastebin.com/VURwmrrF
>>>
>> You say obfuscated, but it looked completely unreadable to me.
> The text/plain part is garbage, but the text/html part renders to a
> mostly readable phish.
> Bill Cole

Sorry, try this one, which was sent a day later, which is readable.

https://pastebin.com/edit/5ASMFah

I just put it through the latest spamasssassin rules. I see that it's
hitting some of the new rules:

T_HTML_SHRT_CMNT_OBFU_MANY,T_MIXED_ES,UNICODE_OBFU_ASC

It's still only being flagged as spam because of my high score assigned
to HTML_OBFUSCATE_90_100. I've had that high score for years, never a
false positive from it (yet!).

- Mark
Re: Another form of obfuscation email. [ In reply to ]
On Wed, 12 Dec 2018, Mark London wrote:

> Sorry, try this one, which was sent a day later, which is readable.
>
> https://pastebin.com/edit/5ASMFah
>
> I just put it through the latest spamasssassin rules. I see that it's
> hitting some of the new rules:
>
> T_HTML_SHRT_CMNT_OBFU_MANY,T_MIXED_ES,UNICODE_OBFU_ASC
>
> It's still only being flagged as spam because of my high score assigned to
> HTML_OBFUSCATE_90_100. I've had that high score for years, never a false
> positive from it (yet!).

I just hardcoded the score for that to 2.000. Pity we don't have anything
in the masscheck corpus for it.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our government should bear in mind the fact that the American
Revolution was touched off by the then-current government
attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
3 days until Bill of Rights day
Re: Another form of obfuscation email. [ In reply to ]
Sorry, I cut off the full URL. It should have been:

https://pastebin.com/5ASMFahi

On 12/12/2018 12:16 PM, Mark London wrote:
> On 12/12/2018 8:01 AM, users-digest-help@spamassassin.apache.org wrote:
>> On 10 Dec 2018, at 14:13, RW wrote:
>>
>>> On Mon, 10 Dec 2018 12:45:53 -0500
>>> Mark London wrote:
>>>
>>>> Hi - Here's another form of obfuscation spam. This time, not a porn
>>>> blackmail one. Almost the whole text is obfuscated.
>>>>
>>>> https://pastebin.com/VURwmrrF
>>>>
>>> You say obfuscated, but it looked completely unreadable to me.
>> The text/plain part is garbage, but the text/html part renders to a
>> mostly readable phish.
>> Bill Cole
>
> Sorry, try this one, which was sent a day later, which is readable.
>
> https://pastebin.com/edit/5ASMFah
>
> I just put it through the latest spamasssassin rules. I see that it's
> hitting some of the new rules:
>
> T_HTML_SHRT_CMNT_OBFU_MANY,T_MIXED_ES,UNICODE_OBFU_ASC
>
> It's still only being flagged as spam because of my high score
> assigned to HTML_OBFUSCATE_90_100. I've had that high score for
> years, never a false positive from it (yet!).
>
> - Mark
>
>
>
>
Re: Another form of obfuscation email. [ In reply to ]
PLEASE UNSUBSCRIBE ME TO THESE EMAILS! I NEVER SIGNED UP FOR THIS AND I DONT UNDERSTAND ANY OF THIS! PLEASE!

> On Jan 26, 2019, at 9:55 PM, Rupert Gallagher <ruga@protonmail.com> wrote:
>
> I would focus on the headers: they have plenty for a spam flag. On the body, SA should already mark the text/code ratio, and the number of links.
>
>> On Sun, Jan 27, 2019 at 05:43, Mark London <mrl@psfc.mit.edu> wrote:
>> Does anyone have any rules that can catch this type of obfuscated spam?
>>
>> https://pastebin.com/qi8dsREW
>>
>> Thanks. - Mark
>>
>
>
Re: Another form of obfuscation email. [ In reply to ]
On Sat, 26 Jan 2019, John Hardin wrote:

> On Sat, 26 Jan 2019, Mark London wrote:
>
>> Does anyone have any rules that can catch this type of obfuscated spam?
>>
>> https://pastebin.com/qi8dsREW
>
> There's some "invisible font" subrules in my sandbox that this hits
> (__STY_INVIS_MANY, __FONT_INVIS_MANY) but scored versions aren't currently
> exposed. I think when I was testing them I was amazed by the poor S/O - why
> would legitimate emails include invisible text?
>
> It may be that there is something they can be combined with to catch this.
>
> I'll take a look at the masscheck results soon and see if anything suggests
> itself.

Invisible styles seem to be really popular in ham for some reason. I've
added a meta with some no-ham hits, we'll see how it does.

Explicit multiple invisible fonts, on the other hand, are very rare in the
masscheck corpus, and are only spam. I've put this into my sandbox for
evaluation:

meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY

...but there may not be enough total corpus hits for masscheck to feel
worthy of publishing it, so you might want to make that a local rule with
whatever score you feel is appropriate.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...every time I sit down in front of a Windows machine I feel as
if the computer is just a place for the manufacturers to put their
advertising. -- fwadling on Y! SCOX
-----------------------------------------------------------------------
Today: Wolfgang Amadeus Mozart's 263rd Birthday
Re: Another form of obfuscation email. [ In reply to ]
On 27 Jan 2019, at 0:46, John Hardin wrote:

> why would legitimate emails include invisible text?

Probably the same reason legitimate emails for an almost exclusively US
audience (from "America's Text Kitchen") contain "Zero Width
Non-Joiners" both in plain text parts as UTF-8 characters and as named
entities in HTML parts, which makes no sense in any Latin-* script.

Email marketing technical experts are often ex-spammers who have brought
filter-evasion tricks with them into legit operations.