[PLUG] A new approach to pass mail filters
Dave Clemans
dgc at easystreet.com
Sat Jan 25 11:20:02 UTC 2003
There was a paper on this and another new technique at the recent MIT
spam conference. If I understand correctly, what's happening below is
that the spammer's program is automatically inserting random html
between words to try to confuse body filters.
That paper said there is also another spammer tool around that uses html
tables to try to ensure that at no point two letters of the same word
adjacent to each other in the raw message body.
Assuming you can't just arbitrarily reject messages with html comments,
a message body preprocessor that eliminates html comments before any
filtering happens should be feasible. Or have the body filtering system
really understand html.
Protecting against the table method sounds harder. Maybe you'd need an
ascii message body html renderer?
dgc
On Sat, 2003-01-25 at 09:04, Rich Shepard wrote:
> In the past two days I've seen messages that should have been rejected by
> my postfix filters. In each case the undesired message (whose name in the
> body of this message would prevent me posting), contains something like
> this:
>
> rem<!vdydogntmc>oval
>
> in the midst of a typical postfix filter word. In pine the word appears
> whole until I turn on headers and see the html source.
>
> Does anyone know why this works and whether or not there's a generic regex
> (other than putting '.*' between every two characters) to remove it's evil
> intent?
>
> Thanks,
>
> Rich
>
> Dr. Richard B. Shepard, President
>
> Applied Ecosystem Services, Inc. (TM)
> 2404 SW 22nd Street | Troutdale, OR 97060-1247 | U.S.A.
> + 1 503-667-4517 (voice) | + 1 503-667-8863 (fax) | rshepard at appl-ecosys.com
> http://www.appl-ecosys.com/
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
More information about the PLUG
mailing list