We've been head-to-head with these guys for a while now. For example, they have pioneered a new form of obfuscation that we have been developing abstract rules for since their first campaign a few weeks ago.
The obfuscation technique is <BR> column obfuscation which involves using CSS float left styles and fixed width fonts along with line breaks <BR> to accomplish the same effect that rowspan table obfuscation allows. Today (really the last couple of days) they have been prolific with new variants countering our rules within a few hours of our responses and so on. They are also using a high-intensity burst mode for delivery so any time they can get through a filter you are likely to see a bunch of them. At the moment we seem to have them covered, though I expect at least a few more rounds with them over the next couple of days. Sorry for the leakage -- we are on it. The samples do help - Thanks! _M On Wednesday, September 14, 2005, 3:39:52 PM, Darin wrote: DC> We just reported one to Sniffer support for analysis as well. DC> Darin. DC> ----- Original Message ----- DC> From: "Heimir Eidskrem" <[EMAIL PROTECTED]> DC> To: <sniffer@sortmonster.com> DC> Sent: Wednesday, September 14, 2005 3:34 PM DC> Subject: [sniffer] Damn viagra spam DC> We are getting tons of spam for viagra and other drugs. DC> Not being stopped by sniffer. >>From - Wed Sep 14 14:23:59 2005 DC> X-Account-Key: account2 DC> X-UIDL: 397213080 DC> X-Mozilla-Status: 0011 DC> X-Mozilla-Status2: 00000000 DC> Received: from chartcourse.com [200.152.123.222] by deepspace.i360.net DC> (SMTPD-8.20) id A7660304; Wed, 14 Sep 2005 14:17:58 -0500 DC> Received: from [192.168.232.240] (helo=elevator) DC> by chartcourse.com with smtp (Paradisaic kw 5.29 (Jactation)) DC> id lBCMAK-xJNrNU-Ty DC> for [EMAIL PROTECTED]; Wed, 14 Sep 2005 14:17:22 -0500 DC> Message-ID: <[EMAIL PROTECTED]> DC> Reply-To: "Shayna Riffe" <[EMAIL PROTECTED]> DC> From: "Shayna Riffe" <[EMAIL PROTECTED]> DC> To: "Ealdgyth Rancourt" <[EMAIL PROTECTED]> DC> Subject: Re: Really Works Very Good Pharmaceu tical DC> Date: Wed, 14 Sep 2005 14:17:20 -0500 DC> MIME-Version: 1.0 DC> Content-Type: multipart/alternative; DC> boundary="----=_NextPart_000_0047_01C5B937.04839800" DC> X-Priority: 3 DC> X-MSMail-Priority: Normal DC> X-Mailer: Microsoft Outlook Express 6.00.2800.1106 DC> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 DC> X-RBL-Warning: CBL: "Blocked - see DC> http://cbl.abuseat.org/lookup.cgi?ip=200.152.123.222"; DC> X-RBL-Warning: IPNOTINMX: DC> X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 29, DC> weight 20) DC> X-Declude-Sender: [EMAIL PROTECTED] [200.152.123.222] DC> X-Declude-Spoolname: D7765019600001CDF.SMD DC> X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for DC> spam. DC> X-Spam-Tests-Failed: CBL, IPNOTINMX, COUNTRYFILTER, CATCHALLMAILS [50] DC> X-Country-Chain: BRAZIL->destination DC> X-Note: This E-mail was sent from recreio.speednetrj.com DC> ([200.152.123.222]). DC> X-IMAIL-SPAM-STATISTICS: (7765019600001cdf, 0.9721) DC> X-RCPT-TO: <[EMAIL PROTECTED]> DC> Status: U DC> X-UIDL: 397213080 DC> X-IMail-ThreadID: 7765019600001cdf DC> This is a multi-part message in MIME format. DC> ------=_NextPart_000_0047_01C5B937.04839800 DC> Content-Type: text/plain; DC> charset="us-ascii" DC> Content-Transfer-Encoding: quoted-printable DC> LeViAmCiXaVa DC> viagbi= DC> alnali DC> trraenisxum DC> a &= DC> nbsp; DC> $3$1$3 DC> .33.21.75 DC> Our Website DC> FaBeToEa DC> st st talsy DC> DeliPric&nbs= DC> p;ConOrde DC> veryesfide= DC> ring DC> nti DC> ality= DC> ball go? writing represented an incoherent chain of certain utterances, = DC> certain DC> ------=_NextPart_000_0047_01C5B937.04839800 DC> Content-Type: text/html; DC> charset="us-ascii" DC> Content-Transfer-Encoding: quoted-printable DC> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> DC> <HTML><HEAD> DC> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii"> DC> <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> DC> <STYLE></STYLE> DC> </HEAD> DC> <BODY bgColor=3D#ffffff> DC> <DIV> </DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier>Le<BR><B>Vi</B><BR>Am<B= R>><B>Ci</B><BR>Xa<BR><B>Va</B></FONT></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier>vi<BR><B>ag</B><BR>bi= DC> <BR><B>al</B><BR>na<BR><B>li</B></FONT></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier>tr<BR><B>ra</B><BR>en<= BR>><B>is</B><BR>x<BR><B>um</B></FONT></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier>a<BR> <BR> <BR>&= DC> nbsp;<BR> <BR> </FONT></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier><BR><B>$3</B><BR><BR><B= >>$1</B><BR><BR><B>$3</B></FONT></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier><BR><B>.33</B><BR><B= R>><B>.21</B><BR><BR><B>.75</B></FONT></DIV> DC> <DIV style=3D"CLEAR: both"> </DIV> DC> <DIV><A href=3D"http://www.amyslate.com";>Our Website</A></DIV> DC> <DIV> </DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier>Fa<BR>Be<BR>To<BR>Ea</FON= T>></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier>st <BR>st <= BR>>tal<BR>sy </FONT></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier>Deli<BR>Pric<BR>&nbs= DC> p;Con<BR>Orde</FONT></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier>very<BR>es<BR>fide<BR>= DC> ring</FONT></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier><BR><BR>nti<BR></FONT></DIV> DC> <DIV style=3D"FLOAT: left"><FONT DC> face=3DCourier><BR><BR>ality<BR></FONT>= DC> </DIV><DIV style=3D"CLEAR: both"> </DIV></BODY></HTML> DC> ------=_NextPart_000_0047_01C5B937.04839800-- This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
