I think you're right there... Spammers didn't "invent" this as a means of obfuscatoin... It seems that what happened is some lucky spammers sent out a few messages this way because that's how their software of choice worked - and they discovered that it was a good way not to get filtered - and so now there is a growing preference to use that type of encoding. This is only a guess, but it seems to be supported by the apparent shift in spam formatting. The shift also seems to have coincided with a sudden burst of html obfuscation techniques such as adding randomized html comments throughout the message to break up phone numbers and key phrases. (These shifts seem to have peaked within 30-60 days of eachother).
There are some spam software out there now that explicitely support these mechanisms as "features" for "stealth direct mail". Adding base64 decoding to Sniffer has had a profound effect on it's efficiency. Before adding this filter-chain module we had a growing number of spam which would get through - only to find that there was a rule in the database already targeted to the message. Now that base64 encoding is in place that almost never happens. It's too early to tell how profound the effect is because we don't have a statisitcally reliable sample yet, but next month's report from Scott should show us the truth. Perhaps we can coax him into giving us some intermediate statistics (perhaps weekly for this month) so that we can measure the impact of base64 encoding in spam. The switchover was specifically timed so that it would coincide with the beginning of the month for this reason. _M | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Smart Business Lists | Sent: Thursday, September 05, 2002 5:07 PM | To: Rick Davidson | Subject: Re: [Declude.JunkMail] More encoded spam | | | Rick, | | Thursday, September 5, 2002 you wrote: | RD> If anybody can produce legit reasons for sending mail this way | RD> please let Scott know | | Well I don't know what "legit" means exactly but I can tell | you there are quite a few messages that come through our | server that are base64 encoded or that contain base64 | segments that are not SPAM. | | There's enough of them I wrote a decoder for my program that | we use to inspect emails before we delete or pass them so we | could read them. | | I think some people are using them to obfuscate the contents | but I don't think that is the only reason. | | | Terry Fritts | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
