Re: [Full-Disclosure] Advances in Spamming Techniques

From: KF (dotslash_at_snosoft.com)
Date: 07/26/03

  • Next message: Jason: "Re: [Full-Disclosure] HoneyTokens - WAS - morning_wood should stop posting xss" 
    To: security snot <booger@unixclan.net>
Date: Fri, 25 Jul 2003 18:26:18 -0400

    viva la pr0j3kt m4yh3m!

    get a life snot...
    -KF

    security snot wrote:

    >I responded to an earlier post, from a respectable security personality
    >known as the dotslasher (d0tslasha@snosfot.com) with a bit of sarcasm. I
    >don't remember the incident 100%, but it was regarding a piece of spam
    >that he had recieved, that had a fake gpg signature attached to it.
    >
    >Recently I've also observed certain advances on bypassing spam filters,
    >which are being actively exploited out in the wild. Since this is
    >apparently a serious security-related matter (unsolicited email) I thought
    >I might share the body of this email with this list, so that everyone can
    >know what to watch out for in the future, and begin to develop better
    >antispam security filters.
    >
    ><spam>
    >We meet h0t y0ung guys (18-24) all the time who want to get fiuic ked,
    >to feel a hard c0ck in their aiss for the very first time, and we've
    >made it our mission in life to help as many of these hot tiwinks as
    >we can. They're a horny bunch and they spend a fair amount of time
    >covered in sipunk, f1uicking and suiciking c0ck like champions.
    >
    >One of our "students":
    >
    >Name: William Age: 18 Comments: 3 c0cks are better than 1!
    >When we met William he was so shy that we teamed him up with 2 of our
    >best educators... Jeff and Steven had sweet Willie suiciking c0ck like
    >an old pro in no time.
    >Contents: Full-length downloadable harid core video plus 150 pics.
    >
    >
    >Let's go?
    ></spam>
    >
    >Normally, spam filters will score on phrases such as "hot young guys" and
    >"hard core" (and other variations, such as "hardcore"); words like
    >"fucked", "***", "sucking", etc. In this bit of unsolicited email that I
    >recieved after making a post to alt.gay.* (sorry, there may be minors
    >reading the list and I wouldn't want them to know where they can be
    >exposed to such adult conversations - here I am, exercising my right to
    >limited free speech), we can observe that those filters are being bypassed
    >by altering the spelling of the words and emulating "l33tspeak".
    >
    >Providing better regular expressions to mail filters, to account for this
    >type of attack, is probably the best idea. What we're seeing here is a
    >spinoff of polymorphic shellcode and attack mechanisms (originally
    >designed to bypass Intrusion Detection Systems) being applied to more
    >tangible areas of technology. It is interesting, however, to see
    >technology evolve in this way.
    >
    >For those of you who don't understand how this could be a security-related
    >matter, imagine trying to attack an "internal" mailserver on a network,
    >where mail is forwarded from a spam-filtering proxy. Normally, the
    >filters on the mail proxy would drop your message in transit, before
    >reaching the vulnerable mailserver. By applying stealthlike operations on
    >our spam, we're able to bypass the filters and have our malicious email
    >attack the victim.
    >
    >I'd like to thank KF for his assistance in preparing this post, and for
    >his many intelligence discussions on this mailing list. I'd also like to
    >thank his colleague dug-h0 y0ng (expl0it1t13z) for a concise and accurate
    >paper on exploiting format string vulnerabilities; his paper addressed
    >many things that the five-hundred other papers on the subject managed to
    >do correctly.
    >
    >I plan on arranging an academic study into the subject of bypassing spam
    >filters, and how this affects the stability of the internet. If anyone is
    >interested in working on this with me, please drop me a message.
    >
    >Thanks,
    >-snot
    >
    >-----------------------------------------------------------
    >"Whitehat by day, booger at night - I'm the security snot."
    >- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
    >-----------------------------------------------------------
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jason: "Re: [Full-Disclosure] HoneyTokens - WAS - morning_wood should stop posting xss"