Re: newer generation of spam

To: debian-user@lists.debian.org
Subject: Re: newer generation of spam
From: kenneth dombrowski <kenneth@ylayali.net>
Date: Sat, 24 May 2003 01:18:58 -0400
Message-id: <[🔎] 20030524051858.GB31876@ylayali.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20030524041542.GA25861@radon>
References: <[🔎] 20030524041542.GA25861@radon>


On 03-05-24 00:15 -0400, Graeme Tank wrote:

> However, I've been recently receiving an new class of spam that appears
> to be designed to evade spam filters that learn, such as the stable
> version of bogofilter.
>

Hi Graeme,

You mean like this? 

<p>G<!--g2j8t9256xh-->et yo<!--thipfx3czlak-->ur
+med<!--skks8d369ngc-->icat<!--2x2xeh3sq3jzlj-->ion pres<!--20e3mo3hg3-->cribed
+on<!--3xsw3j1y5i2-->line an<!--ggyu9229gx1-->d shi<!--xhn6t43gl480-->pped
+t<!--hoqjq82piiydf-->o y<!--ww6dzu382t-->our d<!--lq6jtz35bixd41-->oor
+o<!--w3tfie16516vm2-->verni<!--ykwnih2u79wnx-->ght!</p>

I've noticed that too. Spamassassin on my Woody server catches it, but
it's not the official Woody version (I think 2.20 is in Woody?). It's
not the latest spamassassin either, I've read here that the 2.5 release
has a bayesian system, but since I only get like one piece of spam in my
inbox each month, I haven't bothered upgrading from 2.43. I never
changed the defaults & using the OBFUSCATING_COMMENT technique scores 
them a 2.1 on the spam-meter (see below) 

You think Bogofilter is allowing that to obfuscate the meaning of the
text? I would find that to be fairly surprising considering how long
spam has been HTMLized (I'm thinking of <font size=6
color=red>F</font><font size=4 color=blue>irst letter is big and 
red</font> kind of stuff)

(I wonder how many bogofilter users' filters will filter this message
vs. the spamassassin users)

This is from the headers of the message I excerpted above:

X-Spam-Status: Yes, hits=7.0 required=5.0
        tests=CLICK_BELOW,CTYPE_JUST_HTML,DIET,HTML_50_70,
              HTML_COMMENT_UNIQUE_ID,IMPOTENCE,OBFUSCATING_COMMENT,
              SPAM_PHRASE_13_21,USER_AGENT_OE,VIAGRA
        version=2.43
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
X-Spam-Prev-Content-Type: text/html; charset="iso-8859-1"
X-Spam-Prev-Content-Transfer-Encoding: 8bit
                                                                                
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details:   (7.00 hits, 5 required)
SPAM: USER_AGENT_OE      (0.2 points)  X-Mailer header indicates a non-spam MUA
+(Outlook Express)
SPAM: VIAGRA             (1.4 points)  BODY: Plugs Viagra
SPAM: IMPOTENCE          (0.5 points)  BODY: Impotence cure
SPAM: DIET               (0.4 points)  BODY: Lose Weight Spam
SPAM: CLICK_BELOW        (0.3 points)  BODY: Asks you to click below
SPAM: SPAM_PHRASE_13_21  (1.3 points)  BODY: Spam phrases score is 13 to 21
+(high)
SPAM:                    [score: 14]
SPAM: HTML_50_70         (0.3 points)  BODY: Message is 50-70% HTML tags
SPAM: HTML_COMMENT_UNIQUE_ID (0.1 points)  BODY: Contains a comment with nothing+but unique ID
SPAM: OBFUSCATING_COMMENT (2.1 points)  BODY: HTML comments which obfuscate textSPAM: CTYPE_JUST_HTML    (0.4 points)  HTML-only mail, with no text version
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------

Reply to:

Follow-Ups:
- Re: newer generation of spam
  - From: Graeme Tank <graemet@umich.edu>

References:
- newer generation of spam
  - From: Graeme Tank <graemet@umich.edu>

Prev by Date: Re: text editing
Next by Date: Re: newer generation of spam
Previous by thread: Re: newer generation of spam
Next by thread: Re: newer generation of spam
Index(es):
- Date
- Thread