Re: [Asrg] How to defeat spam that uses encryption?

[jm@jmason.org (Justin Mason)]

Markus Stumpf said:
> On Mon, Mar 31, 2003 at 09:55:24AM -0700, Vernon Schryver wrote:
> > Many spammers encode their efforts as quoted-printable, base64,
> > or even both (never mind the MIME RFCs and MUA behavior).
> You mean like in
>     Perfo<!--|s=3zd=3FAizd[S0=|d,F08F3-->rmance
>     En<!--|s=3zd=3FAizd[S0=|d,F08F3-->hancer
>     Enla<!--|s=3zd=3FAizd[S0=|d,F08F3-->rgement
> > easier to evade than to operate.  Spammers are always slow and behind.
> > Why?
> If they are so far behind, why do/did messages of these type pass so much
> "ahead" content filters?

Hmm.  *Do* they?  I haven't heard of any filters, apart from the "A Plan
For Spam" style ones which do not even trivially decode HTML, that are
vulnerable to this.

SpamAssassin certainly isn't; in fact, it makes a great spam sign for us.
But about twice a week, someone posts to the SpamAssassin-talk list asking
if we're worried about this "new technique", which gets irritating after a
while.

BTW, in response to Vernon's original comment --  the reason at least one
spam tool uses QP/Base64 encoding on normal text, is to evade *AOL's*
content filters and bulk-mail detectors specifically.  By adding a random
"hashbuster" at the start of the mail, the base64 text changes radically
and requires a totally different fuzzy hash signature.  (I read the
tool's documentation ;)

--j.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg