Mailing List Archive

Another form of obfuscation email.
Does anyone have any rules that can catch this type of obfuscated spam?

https://pastebin.com/qi8dsREW

Thanks. - Mark
Re: Another form of obfuscation email. [ In reply to ]
On Sat, 26 Jan 2019, Mark London wrote:

> Does anyone have any rules that can catch this type of obfuscated spam?
>
> https://pastebin.com/qi8dsREW

There's some "invisible font" subrules in my sandbox that this hits
(__STY_INVIS_MANY, __FONT_INVIS_MANY) but scored versions aren't currently
exposed. I think when I was testing them I was amazed by the poor S/O -
why would legitimate emails include invisible text?

It may be that there is something they can be combined with to catch this.

I'll take a look at the masscheck results soon and see if anything
suggests itself.

If they do well against your Bayes but that's not sufficient to block
them, you could define local booster metas like:

meta LCL_SPAM_BOOST_123 BAYES_99 && __STY_INVIS_MANY

meta LCL_SPAM_BOOST_124 BAYES_99 && __FONT_INVIS_MANY


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Tomorrow: the 52nd anniversary of the loss of Apollo 1
Re: Another form of obfuscation email. [ In reply to ]
I would focus on the headers: they have plenty for a spam flag. On the body, SA should already mark the text/code ratio, and the number of links.

On Sun, Jan 27, 2019 at 05:43, Mark London <mrl@psfc.mit.edu> wrote:

> Does anyone have any rules that can catch this type of obfuscated spam?
>
> https://pastebin.com/qi8dsREW
>
> Thanks. - Mark
Re: Another form of obfuscation email. [ In reply to ]
On 26 Jan 2019, at 23:43, Mark London wrote:

> Does anyone have any rules that can catch this type of obfuscated
> spam?
>
> https://pastebin.com/qi8dsREW
>
> Thanks. - Mark

I've been playing with a suite of rules around a concept that hits this
example for a while, but haven't gotten around to doing a solid analysis
of how well the latest rev is working. Caveat Emptor: This rule suite is
worth at most what you've paid for it!

rawbody __SCC_HTML_LOCKTITLE /<title>[^<]*(ID|account|service)\s*(is|has
been|was)\s*(locked|disabled|suspended)[^<]*<\/title>/
describe __SCC_HTML_LOCKTITLE An Important Title.

rawbody __SCC_HTML_LOCKBODY /<body>.*(ID|account|service)\s*(is|has
been|was)\s*(locked|disabled|suspended)/ms
describe __SCC_HTML_LOCKBODY An Important Message

meta T_SCC_WARN_TITLE_ONLY __SCC_HTML_LOCKTITLE && !__SCC_HTML_LOCKBODY
describe T_SCC_WARN_TITLE_ONLY HTML Title warning not in body
meta T_SCC_WARN_BODY_ONLY !__SCC_HTML_LOCKTITLE && __SCC_HTML_LOCKBODY
describe T_SCC_WARN_BODY_ONLY Body warning not in HTML Title


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole