[Declude.JunkMail] Decoding a html attachment
How would you decode the zipped attachment to see what it is doing? It is a java script. The attachment (unzipped) was attached to an junkmail with a bunch of gibberish in the HTML body. John Tolmachoff Engineer/Consultant/Owner eServices For You politicking.zip Description: Zip compressed data
Re: [Declude.JunkMail] Decoding a html attachment
How would you decode the zipped attachment to see what it is doing? It is a java script. The attachment (unzipped) was attached to an junkmail with a bunch of gibberish in the HTML body. This one would be difficult. Unless you have good math skills and a lot of patience, you would need to either run the code or write a program to do it. In this case, it turns out to generate HTML code that goes to a page at http://www.casinos-money.com . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Decoding a html attachment
That does look troublesome...however... The following JavaScript function is very spammy and can be weighted moderately. The only things that should FP on such a thing are Web designers. I have never seen this used before, so even among Web designers it should be rare. BODY 5 CONTAINS string.fromcharcode( I left the parenthesis in so that you are protected from FP'ing on discussions of just the function. Also note the following example that I found on Google: http://www.dragonswest.com/Spam.html Ick. Someday not only will we need full MIME parsing, but also a full HTML and JavaScript decoder built in...For now though, this technique may very well prove more damaging than the non-obfuscated version if you use that body check. Matt R. Scott Perry wrote: How would you decode the zipped attachment to see what it is doing? It is a java script. The attachment (unzipped) was attached to an junkmail with a bunch of gibberish in the HTML body. This one would be difficult. Unless you have good math skills and a lot of patience, you would need to either run the code or write a program to do it. In this case, it turns out to generate HTML code that goes to a page at http://www.casinos-money.com . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Decoding a html attachment
I have never seen this used before, so even among Web designers it should be rare. That's a preferred syntax for Flash ActionScript. Can't tell you how often it's used in general, but it's all over one of our projects. So web shops, or those corresponding with same, should be wary. It has no reason to be in an HTML attachment, however; the combo is the red flag to me. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.