dear snot, Would you mind taking your gay spam whining somewhere else?
Jacob ----- Original Message ----- From: "security snot" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 25, 2003 11:38 PM Subject: [Full-Disclosure] Advances in Spamming Techniques > I responded to an earlier post, from a respectable security personality > known as the dotslasher ([EMAIL PROTECTED]) with a bit of sarcasm. I > don't remember the incident 100%, but it was regarding a piece of spam > that he had recieved, that had a fake gpg signature attached to it. > > Recently I've also observed certain advances on bypassing spam filters, > which are being actively exploited out in the wild. Since this is > apparently a serious security-related matter (unsolicited email) I thought > I might share the body of this email with this list, so that everyone can > know what to watch out for in the future, and begin to develop better > antispam security filters. > > <spam> > We meet h0t y0ung guys (18-24) all the time who want to get fiuic ked, > to feel a hard c0ck in their aiss for the very first time, and we've > made it our mission in life to help as many of these hot tiwinks as > we can. They're a horny bunch and they spend a fair amount of time > covered in sipunk, f1uicking and suiciking c0ck like champions. > > One of our "students": > > Name: William Age: 18 Comments: 3 c0cks are better than 1! > When we met William he was so shy that we teamed him up with 2 of our > best educators... Jeff and Steven had sweet Willie suiciking c0ck like > an old pro in no time. > Contents: Full-length downloadable harid core video plus 150 pics. > > > Let's go? > </spam> > > Normally, spam filters will score on phrases such as "hot young guys" and > "hard core" (and other variations, such as "hardcore"); words like > "fucked", "cock", "sucking", etc. In this bit of unsolicited email that I > recieved after making a post to alt.gay.* (sorry, there may be minors > reading the list and I wouldn't want them to know where they can be > exposed to such adult conversations - here I am, exercising my right to > limited free speech), we can observe that those filters are being bypassed > by altering the spelling of the words and emulating "l33tspeak". > > Providing better regular expressions to mail filters, to account for this > type of attack, is probably the best idea. What we're seeing here is a > spinoff of polymorphic shellcode and attack mechanisms (originally > designed to bypass Intrusion Detection Systems) being applied to more > tangible areas of technology. It is interesting, however, to see > technology evolve in this way. > > For those of you who don't understand how this could be a security-related > matter, imagine trying to attack an "internal" mailserver on a network, > where mail is forwarded from a spam-filtering proxy. Normally, the > filters on the mail proxy would drop your message in transit, before > reaching the vulnerable mailserver. By applying stealthlike operations on > our spam, we're able to bypass the filters and have our malicious email > attack the victim. > > I'd like to thank KF for his assistance in preparing this post, and for > his many intelligence discussions on this mailing list. I'd also like to > thank his colleague dug-h0 y0ng (expl0it1t13z) for a concise and accurate > paper on exploiting format string vulnerabilities; his paper addressed > many things that the five-hundred other papers on the subject managed to > do correctly. > > I plan on arranging an academic study into the subject of bypassing spam > filters, and how this affects the stability of the internet. If anyone is > interested in working on this with me, please drop me a message. > > Thanks, > -snot > > ----------------------------------------------------------- > "Whitehat by day, booger at night - I'm the security snot." > - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ - > ----------------------------------------------------------- > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
