I know this has come up before, but I'm seeing more of these and I'm hoping
somebody has come up with an automated solution.
Some spammers are using a ridiculously simple substitution cipher to hide
spamvertised URLs and email addresses from SpamCop.
Here's how it works.
1. They put the URL/email in a variable. The codes are off 3 characters.
2. They run a function that subtracts 3 and converts it to a string.
3. They document.write it out
So, unless the automated tool like SpamCop actually ran the script (probably
not a good idea) it can't detect the URL/email address.
Leonard
For those without JavaScript debuggers I wrote this web page that uses DHTML
to run a de-cipher function:
<HTML>
<HEAD>
<TITLE> Run the decipher function </TITLE>
<script>
//For a new spam, you will need to replace this function with
// the one in it.
// 1. Make it readable by formatting it correctly.
// 2. Inspect and make sure it doesn't do anything malicious
// before you run it.
function Encrypto( s )
var sRet="";
for(j=0; j< s.length; j++ )
var n = s.charCodeAt(j);
if (n >= 8364) {n = 128;}
sRet += String.fromCharCode( n - 3 );
}
return( sRet );
}
</script>
<SCRIPT ID=clientEventHandlersJS LANGUAGE=javascript>
<!--
//When the window loads, run the decipher script on this string.
// Place the result in the DIV tag below. For a new spam you
// will need to make sure the de-cipher function name matches.
function window_onload() {
var sJsCmds ="" +
"?kwpoA?KHDGA?PHWD#KWWS0HTXLY@%Uhiuhvk%#FRQWHQW@%4>#xuo@kwws=225361;<14<6145
72�vhdq2%A?wlwohAPrujdjh1?2wlwohA?2KHDGA?VFULSW#ODQJXDJH@%MdydVfulsw%A?$00#y
du#wh{wh@%V|vwhp#Uhvrxufhv#Orz#$%ydu#qw@3>ydu#lh@3li#+qdyljdwru1dssQdph@@%Qh
wvfdsh%,#~#####grfxphqw1fdswxuhHyhqwv+Hyhqw1PRXVHGRZQ,>#####qw@4>?###hovh#lh
@4ixqfwlrq#ghwhfw+hy,#~##li#++qw))hy1zklfk@@4,+lh))hyhqw1exwwrq@@4,,~?####
hovh#vhwWlphrxw+*dohuw+wh{wh,*/4,>?####grfxphqw1rqprxvhgrzq@ghwhfw2200A?2VFU
LSWA?erg|#ejfroru@%&IIIIII%#wh{w@%&IIII33%A?sA)qevs>?2sA?sA)qevs>?2sA?sA)qev
s>?2sA?sA)qevs>?2sA?sA)qevs>?2sA?sA)qevs>?2sA?sA)qevs>?2sA?wdeoh#erughu@%3%#
zlgwk@%:8(%#doljq@%FHQWHU%A##?wuA#####?wgA######?gly#doljq@%FHQWHU%A########
?irqw#froru@%&II66<<%A1111111111111111111Rqh#Vhfrqg#sohdvh#ordglqj1111111111
11111111?2irqwA######?2glyA####?2wgA##?2wuA?2wdeohA?sA)qevs>?2sA?sA)qevs>?2s
A?sA)qevs>?2sA?sA)qevs>?2sA?s#doljq@%FHQWHU%A?2sA?s#doljq@%FHQWHU%A?2sA?s#do
ljq@%FHQWHU%A?2sA?s#doljq@%FHQWHU%A?2sA?s#doljq@%FHQWHU%A?irqw#froru@%&IIII3
3%A1111Rqh#vhfrqg#dv#zh#orj#|rx#lq1111?2irqwA?2sA?s#doljq@%FHQWHU%A?2sA?2erg
|A?2kwpoA" + "";
divData.innerText = Encrypto (sJsCmds) ;
}
//-->
</SCRIPT>
</HEAD>
<BODY LANGUAGE=javascript onload="return window_onload()">
<H3>DE-CIPHERED HTML WILL DISPLAY BELOW</H3>
<P>
<DIV id="divData"></DIV>
</P>
<H3>END DE-CIPHERED HTML</H3>
</BODY>
</HTML>
_______________________________________________
SpamCop-List mailing list
[EMAIL PROTECTED]
http://news.spamcop.net/mailman/listinfo/spamcop-list
