Re: : 9D character used in words to avoid detection

[Joseph Brennan]

I've had good results scoring for the combination of windows-1256 encoding
and quoted-printable. It pushes some junk over the top into spam.
Admittedly a message that is mainly in a Latin character set with a quote
from Arabic could be so encoded, so I don't give it a killer score, just a
bump.

In my previous message some days ago I wrote about the combination of the
windows-1256 character set and qp =9D between non-Arabic characters, where
it would never make sense. The reply about my own message matching for
mentioning =9D did not make sense since my message was not in windows-1256.
If this spam technique spreads I still think it would be worth some score.
A broader rule would look for an ISO encoding of the same Arabic no-space
character between non-Arabic characters.

Joseph Brennan
Columbia U I T

Re: : 9D character used in words to avoid detection

[RW]

On Wed, 21 Nov 2018 09:10:25 -0800 (PST)
John Hardin wrote:

>
> >> https://ruleqa.spamassassin.org/20181119-r1846888-n/__UNICODE_OBFU_ZW/detail
> >>   
> >
> >
> > For this to work with 'normalize_charset 1', \x9d needs to be
> > replaced with (?:\x9d|\xe2\x80\x8c)  
> 
> That makes an *enormous* difference:
> 
> https://ruleqa.spamassassin.org/20181121-r1847080-n/UNICODE_OBFU_ZW/detail
> 
> Without the normalized version it was only hitting ~5 spams in the
> entire corpus.


I presume the mass checks run with  defaults, which looks to be
still  'normalize_charset 0' in trunk. So the new hits appear to be
coming from spams with actual UTF-8, rather than 9D normalized to
UTF-8.  

This seems a bit strange.

Re: : 9D character used in words to avoid detection

[John Hardin]

On Tue, 20 Nov 2018, RW wrote:


On Mon, 19 Nov 2018 13:31:47 -0800 (PST)
John Hardin wrote:


On Mon, 19 Nov 2018, Joseph Brennan wrote:


Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt

In windows-1256, the presence of =9D between characters under
decimal-128 is suspicious, regardless of Bitcoin. It seems like a
simple rule but even rawbody does not check quoted-printable
patterns. Plugin maybe? Has this already been done and I've missed
it?


It's there, but performing poorly:

https://ruleqa.spamassassin.org/20181119-r1846888-n/__UNICODE_OBFU_ZW/detail



For this to work with 'normalize_charset 1', \x9d needs to be replaced
with (?:\x9d|\xe2\x80\x8c)


That makes an *enormous* difference:

https://ruleqa.spamassassin.org/20181121-r1847080-n/UNICODE_OBFU_ZW/detail

Without the normalized version it was only hitting ~5 spams in the entire 
corpus.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  [For Earth Day] Obama flew a 747 all the way to the Everglades
  then rode in a massive SUV motorcade to tell you
  to cut carbon emissions.-- Twitter satirist @hale_razor
---
 601 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: 9D character used in words to avoid detection.

[Kevin A. McGrail]

Pedro, I just checked a spample I have and it hits on the rule.  Note, I do
not use normalize charset but just expanded the rule to allow for that
thanks to RW's post.

Regards,
KAM
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Sun, Nov 18, 2018 at 1:40 PM Pedro David Marco 
wrote:

> Kevin,
>
> i think KAM_ZWNJ only triggers with "rawbody".  Actual KAM.cf uses
> "body"...
>
> does the SA body pre-processor removes nulls??
>
> ---
> PedroD
>
> On Saturday, November 17, 2018, 1:41:28 AM GMT+1, Kevin A. McGrail <
> kmcgr...@apache.org> wrote:
>
>
> Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf.  Please
> let me know if those help.
> --
> Kevin A. McGrail
> VP Fundraising, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>
> On Fri, Nov 16, 2018 at 7:37 PM John Hardin  wrote:
>
> On Fri, 16 Nov 2018, Mark London wrote:
>
> > I just received a spam email with the 9D character placed inside of
> words,
> > that prevented my custom BODY rules from being hit.  I.e.:
> >
> > Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr
> a=9Dlready
> > change=9Dd it.
> >
> > Is there a way to define BODY rules, so that they will be triggered?
> > Thanks.
>
> No, that would be way too much work; take a look at __UNICODE_OBFU_ZW in
> my sandbox. It isn't performing well in masschecks so I expect this tactic
> isn't widespread (yet?)
>
> I suppose I should expose it as scored in case it becomes popular...
>
>
> --
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>From the Liberty perspective, it doesn't matter if it's a
>jackboot or a Birkenstock smashing your face. -- Robb Allen
> ---
>   596 days since the first commercial re-flight of an orbital booster
> (SpaceX)
>
>

Re: : 9D character used in words to avoid detection

[John Hardin]

On Tue, 20 Nov 2018, RW wrote:


On Mon, 19 Nov 2018 13:31:47 -0800 (PST)
John Hardin wrote:


On Mon, 19 Nov 2018, Joseph Brennan wrote:


Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt

In windows-1256, the presence of =9D between characters under
decimal-128 is suspicious, regardless of Bitcoin. It seems like a
simple rule but even rawbody does not check quoted-printable
patterns. Plugin maybe? Has this already been done and I've missed
it?


It's there, but performing poorly:

https://ruleqa.spamassassin.org/20181119-r1846888-n/__UNICODE_OBFU_ZW/detail



For this to work with 'normalize_charset 1', \x9d needs to be replaced
with (?:\x9d|\xe2\x80\x8c)


Thanks, I'll get that change checked in shortly.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Perfect Security and Absolute Safety are unattainable; beware
  those who would try to sell them to you, regardless of the cost,
  for they are trying to sell you your own slavery.
---
 600 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: : 9D character used in words to avoid detection

[RW]

On Mon, 19 Nov 2018 13:31:47 -0800 (PST)
John Hardin wrote:

> On Mon, 19 Nov 2018, Joseph Brennan wrote:
> 
> > Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
> >
> > In windows-1256, the presence of =9D between characters under
> > decimal-128 is suspicious, regardless of Bitcoin. It seems like a
> > simple rule but even rawbody does not check quoted-printable
> > patterns. Plugin maybe? Has this already been done and I've missed
> > it?  
> 
> It's there, but performing poorly:
> 
> https://ruleqa.spamassassin.org/20181119-r1846888-n/__UNICODE_OBFU_ZW/detail

 
For this to work with 'normalize_charset 1', \x9d needs to be replaced
with (?:\x9d|\xe2\x80\x8c)

Re: : 9D character used in words to avoid detection

[RW]

On Mon, 19 Nov 2018 15:38:58 -0500
Joseph Brennan wrote:

> Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
> 
> In windows-1256, the presence of =9D between characters under
> decimal-128 is suspicious, regardless of Bitcoin. It seems like a
> simple rule but even rawbody does not check quoted-printable
> patterns. Plugin maybe? Has this already been done and I've missed it?

You don't need that, you can simply look for the decoded character in
the body. 

Re: : 9D character used in words to avoid detection

[John Hardin]

On Mon, 19 Nov 2018, Joseph Brennan wrote:


Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt

In windows-1256, the presence of =9D between characters under decimal-128
is suspicious, regardless of Bitcoin. It seems like a simple rule but even
rawbody does not check quoted-printable patterns. Plugin maybe? Has this
already been done and I've missed it?


It's there, but performing poorly:

https://ruleqa.spamassassin.org/20181119-r1846888-n/__UNICODE_OBFU_ZW/detail


This tactic seem to be limited right now, to a few (one?) spammer, who
is presently using it in their porn blackmail spam.


...probably for this reason.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Forces of tyranny expand inexorably to fill the space
  made available for their existence.   -- Jordan B. Peterson
---
 599 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: : 9D character used in words to avoid detection

[Bill Cole]

On 19 Nov 2018, at 15:38, Joseph Brennan wrote:


Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt

In windows-1256, the presence of =9D between characters under 
decimal-128
is suspicious, regardless of Bitcoin. It seems like a simple rule but 
even
rawbody does not check quoted-printable patterns. Plugin maybe? Has 
this

already been done and I've missed it?


Using the 'full' rule type checks the truly pristine message. This is of 
surprisingly limited utility. Note that if you looked for '=9D' using a 
'full' rule it would match your message and most messages in this 
thread. It's theoretically possible to only examine a QP-encoded part 
for a QP encoding pattern, but I wouldn't use necessary sort of rule 
(unlimited multi-line) in production.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Re: : 9D character used in words to avoid detection

[Joseph Brennan]

Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt

In windows-1256, the presence of =9D between characters under decimal-128
is suspicious, regardless of Bitcoin. It seems like a simple rule but even
rawbody does not check quoted-printable patterns. Plugin maybe? Has this
already been done and I've missed it?

Joseph Brennan
Columbia U I T







On Mon, Nov 19, 2018 at 11:49 AM Mark London  wrote:

> On 11/19/2018 10:35 AM, users-digest-h...@spamassassin.apache.org wrote:
> > I ran it as-is, and it scored poorly.
> > After I manually de-borked the headers, and retested, it hit SA's
> > "OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count
> tests.
>
> OBFU_BITCOIN was hit because the =9D character was not inserted in the
> bitcoin string itself, and rules like __BTC_OBFU_2 were hite, because
> they are designed to look for obfuscated forms of BTC.
>
> So, any rules that taken into account obfuscated words, solves the
> problem of inserted 9D characters.
>
> This tactic seem to be limited right now, to a few (one?) spammer, who
> is presently using it in their porn blackmail spam.
>
> - Mark
>
>
>
>

-- 
Joseph Brennan
Lead, Email and Systems Applications

Re:: 9D character used in words to avoid detection

[Mark London]

On 11/19/2018 10:35 AM, users-digest-h...@spamassassin.apache.org wrote:

I ran it as-is, and it scored poorly.
After I manually de-borked the headers, and retested, it hit SA's 
"OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests. 


OBFU_BITCOIN was hit because the =9D character was not inserted in the 
bitcoin string itself, and rules like __BTC_OBFU_2 were hite, because 
they are designed to look for obfuscated forms of BTC.


So, any rules that taken into account obfuscated words, solves the 
problem of inserted 9D characters.


This tactic seem to be limited right now, to a few (one?) spammer, who 
is presently using it in their porn blackmail spam.


- Mark

Re: 9D character used in words to avoid detection

[Bill Cole]

On 18 Nov 2018, at 14:30, Chip M. wrote:


Mark, is that the exact network image?


It cannot have been, as it was missing headers that any message of its 
apparent lineage (all outlook.com) would have, including Content-Type as 
you noted as well as MIME-Version  and private headers that MS adds to 
messages. Since Content-Type, MIME-Version, and 
X-MS-Exchange-SenderADCheck are supposedly signed according to the 
DKIM-Signature header, that also must fail.

Re: 9D character used in words to avoid detection

[Chip M.]

Ditto to what John said, however, thanks for the spample Mark. :)

Mark, is that the exact network image?
If not, do you have access to it? If so, please pastebin it.
By "network image", I mean not-mangled by any post filter software.

Your posted spample is quoted-printable, and should have been decoded 
then hit some bitcoin/sextortion specific rules.
In your spample, the Content headers are borked, and it wasn't 
recognized as qp, hence the abundant "9D" artifacts.


I ran it as-is, and it scored poorly.
After I manually de-borked the headers, and retested, it hit SA's 
"OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests.


The question is, is that broken header pattern in the original, and 
if so, should it be detected & scored, in-and-of-itself?

We'd need the most pristine original, before proceding. :)
- "Chip"

P.S. Sorry for the lack of Reply headers.  I'm on the road, with limited tools.

Re: 9D character used in words to avoid detection.

[Pedro David Marco]

 Kevin, 
i think KAM_ZWNJ only triggers with "rawbody".  Actual KAM.cf uses "body"...

does the SA body pre-processor removes nulls??
---PedroD
On Saturday, November 17, 2018, 1:41:28 AM GMT+1, Kevin A. McGrail 
 wrote:  
 
 Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf.  Please let me 
know if those help.
--Kevin A. McGrailVP Fundraising, Apache Software FoundationChair Emeritus 
Apache SpamAssassin Projecthttps://www.linkedin.com/in/kmcgrail - 703.798.0171

On Fri, Nov 16, 2018 at 7:37 PM John Hardin  wrote:

On Fri, 16 Nov 2018, Mark London wrote:

> I just received a spam email with the 9D character placed inside of words, 
> that prevented my custom BODY rules from being hit.  I.e.:
>
> Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready 
> change=9Dd it.
>
> Is there a way to define BODY rules, so that they will be triggered? 
> Thanks.

No, that would be way too much work; take a look at __UNICODE_OBFU_ZW in 
my sandbox. It isn't performing well in masschecks so I expect this tactic 
isn't widespread (yet?)

I suppose I should expose it as scored in case it becomes popular...


-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
   From the Liberty perspective, it doesn't matter if it's a
   jackboot or a Birkenstock smashing your face.         -- Robb Allen
---
  596 days since the first commercial re-flight of an orbital booster (SpaceX)

  

Re: : 9D character used in words to avoid detection

[RW]

On Sat, 17 Nov 2018 19:10:57 -0500
Mark London wrote:

> --_000_MWHPR14MB13279093501A88B114707EE3B0DD0MWHPR14MB1327namp_
> Content-Type: text/plain; charset="windows-1256"

So =9D is a zero-width non-joiner. With normalize_charset this can be
detected as the UTF-8 version seen before.


> Do=9D no=9Dt co=9Dnsi=9Dder to=9D ma=9Dke=9D co=9Dntact with me=9D
> pe=9Drso= nally o=9Dr fi=9Dnd me=9D.

My understanding is that zero-width joiners and non-joiners go
between two characters to control how they are typeset, so presumably
they shouldn't be next to a space or punctuation mark.

Re:: 9D character used in words to avoid detection

[John Hardin]

On Sat, 17 Nov 2018, Mark London wrote:


 Forwarded Message 
Subject:[OFF-list] 9D character used in words to avoid detection
Date:   Sat, 17 Nov 2018 15:42:08 -0600
To: Mark London 


Mark, could you post a full spample to the SA list?


Erm, thanks, but it's much preferable to upload the raw spample to 
someplace like pastebin and just post the link here. That way (1) the 
spample doesn't get quarantined or discarded from content scanning, and 
(2) the spample doesn't get modified in transit.



Thanks in advance!
"Chip" M.

---


{snip}


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  There is no doubt in my mind that millions of lives could have been
  saved if the people were not "brainwashed" about gun ownership and
  had been well armed. ... Gun haters always want to forget the Warsaw
  Ghetto uprising, which is a perfect example of how a ragtag,
  half-starved group of Jews took 10 handguns and made asses out of
  the Nazis.-- Theodore Haas, Dachau survivor
---
 597 days since the first commercial re-flight of an orbital booster (SpaceX)

Re:: 9D character used in words to avoid detection

[Mark London]

 Forwarded Message 
Subject:[OFF-list] 9D character used in words to avoid detection
Date:   Sat, 17 Nov 2018 15:42:08 -0600
From:   Chip M. 
To: Mark London 


Mark, could you post a full spample to the SA list?
Thanks in advance!
"Chip" M.

---

Received: from NAM03-DM3-obe.outbound.protection.outlook.com 
(mail-oln040092008054.outbound.protection.outlook.com [40.92.8.54])
by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id wAGJEjso151029
(version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NOT)
for ; Fri, 16 Nov 2018 14:14:45 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Kceh3OoQuqn81EZa8vu4iMVNv3cq+/11xZqOTWGejmA=;
 
b=SmqjOWOZhH0WPpxl0tW8hR8y/iinBa5jpTYudap6390QzWXLc4TU0iPuaChiq3kivXtpxSBJAnVrDi1HCJm1ifFGvmIqITyB4am/vUuwDDtm+e8hLy1ONvsEa8O9tLdmzs10x6T/6nsWadsB9QCiJ39ugpj4V5sBvb5vGaaRNjQCwqO+GcqYmnZbMzR2Sp1U2Ah63P9bHiK2jiBf/g1T5aOsrLpfypPTdltzTbYLs3E76Nt4swZwDlMond9FJITY574G/HBghrql3nZEKlGGPGI2J8qUiiVPn5/cMCyOLrR0qqd217oU82Cuner5kPWE9iEcprvXxJIAt6gOYPKzDg==
Received: from BY2NAM03FT047.eop-NAM03.prod.protection.outlook.com
 (10.152.84.58) by BY2NAM03HT089.eop-NAM03.prod.protection.outlook.com
 (10.152.84.169) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1339.10; Fri, 16 Nov
 2018 19:14:44 +
Received: from MWHPR14MB1327.namprd14.prod.outlook.com (10.152.84.53) by
 BY2NAM03FT047.mail.protection.outlook.com (10.152.85.103) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.20.1339.10 via Frontend Transport; Fri, 16 Nov 2018 19:14:44 +
Received: from MWHPR14MB1327.namprd14.prod.outlook.com
 ([fe80::f4ae:395a:3f6b:67a3]) by MWHPR14MB1327.namprd14.prod.outlook.com
 ([fe80::f4ae:395a:3f6b:67a3%8]) with mapi id 15.20.1339.021; Fri, 16 Nov 2018
 19:14:44 +
From: Kenton Chmura 
To: "m...@psfc.mit.edu" 
Subject: mrl
Date: Fri, 16 Nov 2018 19:14:44 +
Message-ID: 


--_000_MWHPR14MB13279093501A88B114707EE3B0DD0MWHPR14MB1327namp_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: quoted-printable

Hi=9D the=9Dre

I'm the=9D ha=9Dcke=9Dr who=9D bro=9Dke=9D yo=9Du=9Dr ema=9Di=9Dl a=9Dddre=
=9Dss a=9Dnd de=9Dvi=9Dce=9D a=9D se=9Dve=9Dra=9Dl we=9De=9Dks ba=9Dck.

Yo=9Du=9D type=9Dd i=9Dn yo=9Du=9Dr pwd o=9Dn one of the si=9Dte=9Ds yo=9Du=
=9D vi=9Dsite=9Dd, a=9Dnd I inte=9Drce=9Dpted it.

He=9Dre=9D i=9Ds the=9D se=9Dcu=9Dri=9Dty pa=9Dsswo=9Drd o=9Df m...@psfc.mit=
.edu upo=9Dn mo=9Dme=9Dnt of ha=9Dck: xxx

Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready c=
hange=9Dd it.

The=9Dn again thi=9Ds wo=9Dn't really ma=9Dke a=9D di=9Dffe=9Drence=9D, my =
ma=9Dli=9Dcio=9Du=9Ds so=9Dftwa=9Dre=9D u=9Dpda=9Dte=9Dd i=9Dt e=9Da=9Dch a=
=9Dnd e=9Dvery ti=9Dme.

Do=9D no=9Dt co=9Dnsi=9Dder to=9D ma=9Dke=9D co=9Dntact with me=9D pe=9Drso=
nally o=9Dr fi=9Dnd me=9D.

Via=9D yo=9Du=9Dr e=9D-ma=9Di=9Dl, I uplo=9Da=9Dde=9Dd malwa=9Dre=9D co=9Dm=
pute=9Dr co=9Dde to yo=9Dur Ope=9Dra=9Dtion Syste=9Dm.

I sa=9Dved all yo=9Du=9Dr co=9Dnta=9Dcts wi=9Dth bu=9Dddie=9Ds, fello=9Dw w=
o=9Drke=9Drs, fa=9Dmi=9Dly me=9Dmbers and a fu=9Dll hi=9Dsto=9Dry of vi=9Ds=
i=9Dts to the=9D Online re=9Dso=9Du=9Drce=9Ds.

As well I i=9Dnsta=9Dlle=9Dd a=9D Vi=9Dru=9Ds o=9Dn yo=9Du=9Dr de=9Dvi=9Dce=
=9D.

You=9D aren't my only victim, I typi=9Dca=9Dlly lo=9Dck pcs and a=9Dsk fo=
=9Dr the=9D ra=9Dnso=9Dm.

No=9Dne=9Dthe=9Dle=9Dss I wa=9Ds stru=9Dck thro=9Du=9Dgh the=9D si=9Dtes o=
=9Df pa=9Dssi=9Do=9Dna=9Dte co=9Dnte=9Dnt ma=9Dte=9Dri=9Da=9Dl tha=9Dt you=
=9D o=9Dften ta=9Dke a lo=9Dok at.

I am i=9Dn i=9Dmpa=9Dct of you=9Dr cu=9Drre=9Dnt fantasi=9De=9Ds! I've neve=
r seen a=9Dnythi=9Dng li=9Dke=9D this!

The=9Drefore=9D, whe=9Dn yo=9Du=9D ha=9Dd e=9Dnjo=9Dyme=9Dnt o=9Dn piquant =
websi=9Dtes (yo=9Du know wha=9Dt I a=9Dm talki=9Dng abo=9Du=9Dt!) I ma=9Dde=
 scre=9De=9Dnsho=9Dt wi=9Dth u=9Dsi=9Dng my pro=9Dgra=9Dm via=9D yo=9Dur ca=
me=9Dra=9D o=9Df yo=9Du=9Drs de=9Dvi=9Dce=9D.

And the=9Dn, I pu=9Dt toge=9Dthe=9Dr the=9Dm to=9D the=9D conte=9Dnt of the=
=9D cu=9Drre=9Dntly se=9De=9Dn we=9Dbsi=9Dte.

No=9Dw there=9D is go=9Di=9Dng to=9D be=9D giggli=9Dng whe=9Dn I se=9Dnd th=
e=9Dse=9D pi=9Dctu=9Dres to yo=9Du=9Dr co=9Dnnecti=9Do=9Dns!

Ho=9Dweve=9Dr I am su=9Dre yo=9Du do=9Dn't ne=9De=9Dd i=9Dt.

Thus, I e=9Dxpe=9Dct pa=9Dyme=9Dnt fro=9Dm yo=9Du=9D wi=9Dth re=9Dga=9Drd t=
o=9D my qu=9Di=9De=9Dt.

I co=9Dnside=9Dr $40=9D0=9D0=9D (fou=9Dr tho=9Du=9Dsa=9Dnd dolla=9Drs) i=9D=
s a=9Dn a=9Dppro=9Dpri=9Da=9Dte=9D co=9Dst fo=9Dr it!

Pay wi=9Dth Bi=9Dtcoi=9Dn.

My BT=9DC wallet i=9Ds 1GJJ5fsfLVMJiSqTh6nWAd5riDg8xmizB2

In ca=9Dse=9D you=9D do=9D no=9Dt know ho=9Dw to do=9D thi=9Ds - e=9Dnte=9D=
r in to Goo=9Dgle=9D 'ho=9Dw to=9D tra=9Dnsfe=9Dr mo=9Dn

Re: 9D character used in words to avoid detection.

[Mark London]

John & Kevin - Thanks for the rules!   This tactic was used in a porn 
blackmail spam.   Considering that we are currently are receiving a 
large amount of those types of spams, it might be possible that this 
tactic might catch on.   Or not!   We'll see. - Mark


On 11/17/2018 8:23 AM, users-digest-h...@spamassassin.apache.org wrote:

To:
John Hardin 
CC:
SA Mailing list 


Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf.  
Please let me know if those help.

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Fri, Nov 16, 2018 at 7:37 PM John Hardin > wrote:


On Fri, 16 Nov 2018, Mark London wrote:

> I just received a spam email with the 9D character placed inside
of words,
> that prevented my custom BODY rules from being hit. I.e.:
>
> Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr
a=9Dlready
> change=9Dd it.
>
> Is there a way to define BODY rules, so that they will be
triggered?
> Thanks.

No, that would be way too much work; take a look at
__UNICODE_OBFU_ZW in
my sandbox. It isn't performing well in masschecks so I expect
this tactic
isn't widespread (yet?)

I suppose I should expose it as scored in case it becomes popular...

Re: 9D character used in words to avoid detection.

[Benny Pedersen]

Mark London skrev den 2018-11-17 01:23:

Is there a way to define BODY rules, so that they will be triggered?   
Thanks.


manuel train bayes, is the only help i can give, sorry

spammers want to be detected, so let them :=)

Re: 9D character used in words to avoid detection.

[Kevin A. McGrail]

Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf.  Please let
me know if those help.
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Fri, Nov 16, 2018 at 7:37 PM John Hardin  wrote:

> On Fri, 16 Nov 2018, Mark London wrote:
>
> > I just received a spam email with the 9D character placed inside of
> words,
> > that prevented my custom BODY rules from being hit.  I.e.:
> >
> > Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr
> a=9Dlready
> > change=9Dd it.
> >
> > Is there a way to define BODY rules, so that they will be triggered?
> > Thanks.
>
> No, that would be way too much work; take a look at __UNICODE_OBFU_ZW in
> my sandbox. It isn't performing well in masschecks so I expect this tactic
> isn't widespread (yet?)
>
> I suppose I should expose it as scored in case it becomes popular...
>
>
> --
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>From the Liberty perspective, it doesn't matter if it's a
>jackboot or a Birkenstock smashing your face. -- Robb Allen
> ---
>   596 days since the first commercial re-flight of an orbital booster
> (SpaceX)
>

Re: 9D character used in words to avoid detection.

[John Hardin]

On Fri, 16 Nov 2018, Mark London wrote:

I just received a spam email with the 9D character placed inside of words, 
that prevented my custom BODY rules from being hit.  I.e.:


Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready 
change=9Dd it.


Is there a way to define BODY rules, so that they will be triggered? 
Thanks.


No, that would be way too much work; take a look at __UNICODE_OBFU_ZW in 
my sandbox. It isn't performing well in masschecks so I expect this tactic 
isn't widespread (yet?)


I suppose I should expose it as scored in case it becomes popular...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  From the Liberty perspective, it doesn't matter if it's a
  jackboot or a Birkenstock smashing your face. -- Robb Allen
---
 596 days since the first commercial re-flight of an orbital booster (SpaceX)

9D character used in words to avoid detection.

[Mark London]

I just received a spam email with the 9D character placed inside of 
words, that prevented my custom BODY rules from being hit.  I.e.:


Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr 
a=9Dlready change=9Dd it.


Is there a way to define BODY rules, so that they will be triggered?   
Thanks.


Mark