Re: [Declude.JunkMail] Wordfilter bypassed
A spam I received yesterday had these comments in it also. However one thing I noticed was that the spam had a url that started off with the standard http then was followed by PercentHexHexPercentHexHexPercentHexHexPercentHexHexPercentHexHex and so on. This should be very easy to filter on as no legit mailer should be hiding urls like that. Mike - Original Message - From: Madscientist [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 19, 2002 8:47 PM Subject: RE: [Declude.JunkMail] Wordfilter bypassed | | However, that's the way spam control is heading. As more and | more people | get fed up with spam, more and more of the bozos that are | doing things the | wrong way will need to fix their problems. | | I can understand an HTML E-mail having one or two comments in | it, but 10 or | 20 is just a waste of bandwidth. That is information the | recipient will | never see. | | -Scott Where we got into trouble was with big corporate iron... (IBM, Sun, Microsoft, etc...) The comments in those messages were part of the code base generating the messages and I can imagine (as a web developer also) that they are pretty vital to the developers in their ongoing maintenance efforts. It's not uncommon to see quite a few of them. As we increased the threshold to accommodate the legitimate messages we were capturing we soon reached a level where legitimate and non-legitimate were practically indistinguishable. All I'm saying here is that since HTML email is here to stay, and HTML comments are legitimate and sometimes required for coding standards, a simple count of HTML comments will not be a valid spam test in most cases. This has been our experience - your mileage may/will vary. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
A word of caution from our research. Some legitimate messages do encode other URLs as parameters. As a result this kind of filter requires the following constraints (still not perfect but close): Be sure your rule fires on the ROOT of the URL so that you are not capturing parameters that have been encoded. For example, href=http://%67 etc... but not just http://%67... as in href=http://legitimate.web.host/somefn.jsp?xyz=http://%67%4D... Look for encoding of normal print characters such as letters and numbers as these are not normally encoded in legitimate URLs. (_usually_ is important here as some automated link generation systems we've seen do code everything either as a half-hearted attempt at security or just because it's easier to hit every nail with the hammer.) If you combine these two constraints then the rule can be very effective. Hope this helps, _M Pete McNeil (Madscientist) Chief SortMonster (www.sortmonster.com) VOX: 703-406-2016 FAX: 703-406-2017 | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Mike K | Sent: Wednesday, November 20, 2002 9:06 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Wordfilter bypassed | | | A spam I received yesterday had these comments in it also. | | However one thing I noticed was that the spam had a url that | started off with the standard http then was followed by | PercentHexHexPercentHexHexPercentHexHexPercentHexHexPercentHex | Hex and so on. | | This should be very easy to filter on as no legit mailer | should be hiding urls like that. | | Mike | | | | | | | - Original Message - | From: Madscientist [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Sent: Tuesday, November 19, 2002 8:47 PM | Subject: RE: [Declude.JunkMail] Wordfilter bypassed | | | | | | However, that's the way spam control is heading. As more | and more | | people get fed up with spam, more and more of the bozos that are | | doing things the | | wrong way will need to fix their problems. | | | | I can understand an HTML E-mail having one or two comments in it, | | but 10 or 20 is just a waste of bandwidth. That is | information the | | recipient will | | never see. | | | | -Scott | | Where we got into trouble was with big corporate iron... (IBM, Sun, | Microsoft, etc...) The comments in those messages were part of the | code base generating the messages and I can imagine (as a web | developer also) that they are pretty vital to the | developers in their | ongoing maintenance efforts. It's not uncommon to see quite | a few of | them. As we increased the threshold to accommodate the legitimate | messages we were capturing we soon reached a level where legitimate | and non-legitimate were practically indistinguishable. All | I'm saying | here is that since HTML email is here to stay, and HTML | comments are | legitimate and sometimes required for coding standards, a | simple count | of HTML comments will not be a valid spam test in most | cases. This has | been our experience - your mileage may/will vary. | | _M | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
Title: Message We have seen quite a lot. It is happening more and more. If HTML comments could be ignored it would be a great addition. I wonder what would be the downfall of the idea? I also think another filter that can be considered is the routing type filter. I don't know if bad routing can see this.. but we are noticing a lot of emails going in circle.. for example: US Japan Hungry Destination (US in this case). I guess one way to combat this is if the Country filter is additive. For example the weight of each country detected is added to the total weight. Does the filter do this? Regards, Kami -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott MacLeanSent: Tuesday, November 19, 2002 7:52 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Wordfilter bypassedThe sneaky buggers are at it again. I've been getting more and more emails that don't fail any tests at all, but should be caught as spam due to multiple wordfilter hits. I had a look at the message (HTML) source, and found this:Hum!--nnbvmx--an Gr!--d--owth Hor!--fjkg--mone Th!--sdkf--erapyScott, is it possible that the wordfilter, when looking at HTML source messages, can be made to disregard HTML comments, as above?___Scott MacLean[EMAIL PROTECTED]ICQ: 9184011http://www.nerosoft.com
Re: [Declude.JunkMail] Wordfilter bypassed
The sneaky buggers are at it again. I've been getting more and more emails that don't fail any tests at all, but should be caught as spam due to multiple wordfilter hits. I had a look at the message (HTML) source, and found this: Hum!--nnbvmx--an Gr!--d--owth Hor!--fjkg--mone Th!--sdkf--erapy Scott, is it possible that the wordfilter, when looking at HTML source messages, can be made to disregard HTML comments, as above? That likely isn't something that we will be doing, as it will add a lot of extra CPU time (or require writing our own specially designed string matching functions). However, we are thinking of adding a test that will get triggered if a certain number of comments are found in an E-mail. Although this would catch the occasionally bandwidth-wasting legitimate bulk mailers (that have real comments), it would also be very useful in detecting spam. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
I guess one way to combat this is if the Country filter is additive. For example the weight of each country detected is added to the total weight. Does the filter do this? Yes, it does. :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
Title: Nachricht If you can wait for some weeks we can provide an external test-program that make some content-based tests. At the moment we have ready the first tests wich tries to identify things like HTML-only mails, subject with spaces (yes, the same as Decludes spamheaders-test) and code-numbersin subject-lines and email-adresses. The next test's we plan to realize are links to ip-adresses, image-links and links to cgi-scripts. There will also be a word-filter test that tries to remove any !-- -- comments and other obscuring strings. The external test can be configured with an inifile an returns his results as a cumulative weight to declude. On our server it works for the last 9 days without any problem. During stress-tests on our server we do not notice appreciable more cpu-usage (with the current working tests) This external test will be free for all. In the next days I will provide a test-version in the list. Markus
RE: [Declude.JunkMail] Wordfilter bypassed
We attempted implementing a test that counts the number of html comments and found that it was impractical as it consistently captured a large number of legitimate services. (Scott, you indicated that it might catch some - our experience has been that it captures so many we had to drop it.) I suspect that most systems will need to weight such a test very lightly. Hope this helps. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Tuesday, November 19, 2002 8:23 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Wordfilter bypassed | | | | The sneaky buggers are at it again. I've been getting more and more | emails | that don't fail any tests at all, but should be caught as | spam due to | multiple wordfilter hits. I had a look at the message (HTML) | source, and | found this: | | Hum!--nnbvmx--an Gr!--d--owth Hor!--fjkg--mone | Th!--sdkf--erapy | | Scott, is it possible that the wordfilter, when looking at | HTML source | messages, can be made to disregard HTML comments, as above? | | That likely isn't something that we will be doing, as it will | add a lot of | extra CPU time (or require writing our own specially designed string | matching functions). However, we are thinking of adding a | test that will | get triggered if a certain number of comments are found in an | E-mail. Although this would catch the occasionally bandwidth-wasting | legitimate bulk mailers (that have real comments), it would | also be very | useful in detecting spam. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
We attempted implementing a test that counts the number of html comments and found that it was impractical as it consistently captured a large number of legitimate services. (Scott, you indicated that it might catch some - our experience has been that it captures so many we had to drop it.) I suspect that most systems will need to weight such a test very lightly. Hope this helps. However, that's the way spam control is heading. As more and more people get fed up with spam, more and more of the bozos that are doing things the wrong way will need to fix their problems. I can understand an HTML E-mail having one or two comments in it, but 10 or 20 is just a waste of bandwidth. That is information the recipient will never see. -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Wordfilter bypassed
R., Tuesday, November 19, 2002 you wrote: RSP I can understand an HTML E-mail having one or two comments in it, RSP but 10 or 20 is just a waste of bandwidth. That is information RSP the recipient will never see. Lots of the content management systems are heavily commented so I see a lot of comments in html messages to subscribers. However, they are not commented between words but that's a difficult parse I think. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Wordfilter bypassed
Lots of the content management systems are heavily commented so I see a lot of comments in html messages to subscribers. However, they are not commented between words but that's a difficult parse I think. Aha... that could be the key! A spammer will use something like or!-- blah --der. If they use or !-- blah -- der, it will appear on the screen as or der, which will confuse people (Call to or der now! isn't very readable). Whereas the content management systems likely have the comment on the beginning of a new line, or at least have a space before/after it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
| | However, that's the way spam control is heading. As more and | more people | get fed up with spam, more and more of the bozos that are | doing things the | wrong way will need to fix their problems. | | I can understand an HTML E-mail having one or two comments in | it, but 10 or | 20 is just a waste of bandwidth. That is information the | recipient will | never see. | | -Scott Where we got into trouble was with big corporate iron... (IBM, Sun, Microsoft, etc...) The comments in those messages were part of the code base generating the messages and I can imagine (as a web developer also) that they are pretty vital to the developers in their ongoing maintenance efforts. It's not uncommon to see quite a few of them. As we increased the threshold to accommodate the legitimate messages we were capturing we soon reached a level where legitimate and non-legitimate were practically indistinguishable. All I'm saying here is that since HTML email is here to stay, and HTML comments are legitimate and sometimes required for coding standards, a simple count of HTML comments will not be a valid spam test in most cases. This has been our experience - your mileage may/will vary. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
That's a good point. Perhaps we'll do some testing in the new version for comments bounded by nonwhitespace. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Tuesday, November 19, 2002 10:21 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Wordfilter bypassed | | | | Lots of the content management systems are heavily | commented so I | see a lot of comments in html messages to subscribers. | | However, they are not commented between words but that's a | difficult parse I think. | | Aha... that could be the key! | | A spammer will use something like or!-- blah --der. If | they use or | !-- blah -- der, it will appear on the screen as or der, | which will | confuse people (Call to or der now! isn't very readable). | Whereas the | content management systems likely have the comment on the | beginning of a | new line, or at least have a space before/after it. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
