lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.50L0.0307251420120.22383-100000@cia.zemos.net>
From: booger at unixclan.net (security snot)
Subject: Advances in Spamming Techniques

I responded to an earlier post, from a respectable security personality
known as the dotslasher (d0tslasha@...sfot.com) with a bit of sarcasm.  I
don't remember the incident 100%, but it was regarding a piece of spam
that he had recieved, that had a fake gpg signature attached to it.

Recently I've also observed certain advances on bypassing spam filters,
which are being actively exploited out in the wild.  Since this is
apparently a serious security-related matter (unsolicited email) I thought
I might share the body of this email with this list, so that everyone can
know what to watch out for in the future, and begin to develop better
antispam security filters.

<spam>
We meet h0t y0ung guys (18-24) all the time who want to get   fiuic ked,
to feel a hard c0ck in their   aiss   for the very first time, and we've
made it our mission in life to help as many of these hot   tiwinks   as
we can. They're a horny bunch and they spend a fair amount of time
covered in   sipunk, f1uicking  and suiciking c0ck like champions.

One of our "students":

Name: William Age: 18 Comments: 3 c0cks are better than 1!
When we met William he was so shy that we teamed him up with 2 of our
best educators... Jeff and Steven had sweet Willie suiciking  c0ck like
an old pro in no time.
Contents: Full-length downloadable harid core video plus 150 pics.


Let's go?
</spam>

Normally, spam filters will score on phrases such as "hot young guys" and
"hard core" (and other variations, such as "hardcore"); words like
"fucked", "cock", "sucking", etc.  In this bit of unsolicited email that I
recieved after making a post to alt.gay.* (sorry, there may be minors
reading the list and I wouldn't want them to know where they can be
exposed to such adult conversations - here I am, exercising my right to
limited free speech), we can observe that those filters are being bypassed
by altering the spelling of the words and emulating "l33tspeak".

Providing better regular expressions to mail filters, to account for this
type of attack, is probably the best idea.  What we're seeing here is a
spinoff of polymorphic shellcode and attack mechanisms (originally
designed to bypass Intrusion Detection Systems) being applied to more
tangible areas of technology.  It is interesting, however, to see
technology evolve in this way.

For those of you who don't understand how this could be a security-related
matter, imagine trying to attack an "internal" mailserver on a network,
where mail is forwarded from a spam-filtering proxy.  Normally, the
filters on the mail proxy would drop your message in transit, before
reaching the vulnerable mailserver.  By applying stealthlike operations on
our spam, we're able to bypass the filters and have our malicious email
attack the victim.

I'd like to thank KF for his assistance in preparing this post, and for
his many intelligence discussions on this mailing list.  I'd also like to
thank his colleague dug-h0 y0ng (expl0it1t13z) for a concise and accurate
paper on exploiting format string vulnerabilities; his paper addressed
many things that the five-hundred other papers on the subject managed to
do correctly.

I plan on arranging an academic study into the subject of bypassing spam
filters, and how this affects the stability of the internet.  If anyone is
interested in working on this with me, please drop me a message.

Thanks,
-snot

-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ