[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.50L0.0307251420120.22383-100000@cia.zemos.net>
From: booger at unixclan.net (security snot)
Subject: Advances in Spamming Techniques
I responded to an earlier post, from a respectable security personality
known as the dotslasher (d0tslasha@...sfot.com) with a bit of sarcasm. I
don't remember the incident 100%, but it was regarding a piece of spam
that he had recieved, that had a fake gpg signature attached to it.
Recently I've also observed certain advances on bypassing spam filters,
which are being actively exploited out in the wild. Since this is
apparently a serious security-related matter (unsolicited email) I thought
I might share the body of this email with this list, so that everyone can
know what to watch out for in the future, and begin to develop better
antispam security filters.
<spam>
We meet h0t y0ung guys (18-24) all the time who want to get fiuic ked,
to feel a hard c0ck in their aiss for the very first time, and we've
made it our mission in life to help as many of these hot tiwinks as
we can. They're a horny bunch and they spend a fair amount of time
covered in sipunk, f1uicking and suiciking c0ck like champions.
One of our "students":
Name: William Age: 18 Comments: 3 c0cks are better than 1!
When we met William he was so shy that we teamed him up with 2 of our
best educators... Jeff and Steven had sweet Willie suiciking c0ck like
an old pro in no time.
Contents: Full-length downloadable harid core video plus 150 pics.
Let's go?
</spam>
Normally, spam filters will score on phrases such as "hot young guys" and
"hard core" (and other variations, such as "hardcore"); words like
"fucked", "cock", "sucking", etc. In this bit of unsolicited email that I
recieved after making a post to alt.gay.* (sorry, there may be minors
reading the list and I wouldn't want them to know where they can be
exposed to such adult conversations - here I am, exercising my right to
limited free speech), we can observe that those filters are being bypassed
by altering the spelling of the words and emulating "l33tspeak".
Providing better regular expressions to mail filters, to account for this
type of attack, is probably the best idea. What we're seeing here is a
spinoff of polymorphic shellcode and attack mechanisms (originally
designed to bypass Intrusion Detection Systems) being applied to more
tangible areas of technology. It is interesting, however, to see
technology evolve in this way.
For those of you who don't understand how this could be a security-related
matter, imagine trying to attack an "internal" mailserver on a network,
where mail is forwarded from a spam-filtering proxy. Normally, the
filters on the mail proxy would drop your message in transit, before
reaching the vulnerable mailserver. By applying stealthlike operations on
our spam, we're able to bypass the filters and have our malicious email
attack the victim.
I'd like to thank KF for his assistance in preparing this post, and for
his many intelligence discussions on this mailing list. I'd also like to
thank his colleague dug-h0 y0ng (expl0it1t13z) for a concise and accurate
paper on exploiting format string vulnerabilities; his paper addressed
many things that the five-hundred other papers on the subject managed to
do correctly.
I plan on arranging an academic study into the subject of bypassing spam
filters, and how this affects the stability of the internet. If anyone is
interested in working on this with me, please drop me a message.
Thanks,
-snot
-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------
Powered by blists - more mailing lists