[Dshield] New email spam

ECJB ecjb at ecjb.net
Wed Dec 24 13:03:19 GMT 2003

Is it possible to double-encode mail (wrap it in two layers of b64 
encoding) and if so, how can that be detected?  Or am I asking a silly 
question because mail progrmas would choke on such a thing?

- Eric.

Kenneth Coney wrote:

> So what you are saying is email containing HTML or other coding should 
> simply be refused.  That would end 90% of the Spam.  Then a simple 
> dictionary filter on the Subject line would eliminate any messages 
> with padding or coding.  I like it.  Back to .txt only we go.
> Subject: RE: [Dshield] New email spam
> From: "Coxe, John B." <JOHN.B.COXE at saic.com>
> Date: Mon, 22 Dec 2003 08:40:30 -0800
> To: "'General DShield Discussion List'" <list at dshield.org>
> This serves various purposes.  The most important one to them is that 
> each
> message has a unique subject.  So those writing filters for the most
> prevalent, by count, subjects entering their MTAs will miss them as their
> entire campaign consists of lots of messages, each with a subject 
> count of
> one.
> If you want to see broken spam programs, note the subjects that come in
> literally with "%RND_UC_CHAR[2-8]" or "%RANDOM_WORD".  Pretty easy to 
> filter
> those.
> The hardest subjects to filter are those utilizing character encoding 
> in the
> subject line.  The quoted-printable is easy enough.  However, base64
> encoding requires a decoder as part of the filter.  See RFC 1345 for
> encodings.  The most prevalent one used is ISO-8859-1.  In fact, it 
> accounts
> for practically all of the encoded spam.  Funny that the spammers haven't
> jumped over to use "latin1", which is exactly the same (just an alias for
> iso-8859-1), to bypass folks who put in a general iso-8859-1 filter.  
> There
> is sure to be a lot of growth in this area.  It takes every three 
> characters
> and transforms them to four other characters.  The entire encoding is
> completely unreadable.  But it displays in MS Outlook and will render 
> as the
> decoded form when forwarded.
> An example might be a Subject like "V2FudCBhIEJJR0dFUiBQRU5JUz8=", which
> decoded has the "P" word in it.  (See, for example,
> http://makcoder.sourceforge.net/demo/base64.php to decode this or your 
> own
> subjects.)  One can defend against this without an inline decoder to some
> <snip>

More information about the list mailing list