interesting spammer tricks

Tom Anderson tanderso at oac-design.com
Wed Sep 24 04:56:26 CEST 2003 

David (and list),

We spoke recently about filtering various multipart emails in different
ways, and one of the main issues involved images in html parts --
particularly images of text.  I just thought that you might find this
particular spam quite interesting.  When I view it in my html-capable
email client, I see a seemingly valid message from ebay.  However, when
I view the source, it appears to be a different message entirely.  I
don't see any mention of ebay at all, just some random ham-like tokens. 
Turns out that the embedded image is the ebay message in gif format, and
the other hamifying text is all in white to make it invisible.

I don't know if this supports any previous conclusions about how to rank
various mime parts or calls them into question, however I do see this as
a problem for bogofilter.  Although the color="#FFFFFX" strings SHOULD
appear very spam-like, the vast majority of the terms contained in those
strings are very benign.  In fact, they were specifically crafted to be
as hamish as possible.  I would tend to think that this would push it
overwhelmingly into the ham direction.  Moreover, the colors are just
slightly off-white so as to also be new tokens, but indistinguishable to
the human eye.  Spamicity = 0.00000 according to my database.  It
appears to be the perfect bogofilter foiler.

Possible ways to combat this would be to contrast the background color
with the text color and not rank any strings which are very close to the
background color.  Background images would be a problem though.  Most
spam of this nature would want to use white backgrounds though, as those
appear most genuinely from the spoofed sender.  I know search engines
have been dealing with these problems for quite some time... I wonder if
we could borrow some of their solutions, if we can find them published
anywhere.

Tom
-------------- next part --------------
An embedded message was scrubbed...
From: eBay <users-line1 at eBay.com>
Subject: 0fficial Notice for all eBay users
Date: Tue, 23 Sep 2003 21:30:16 +0000
Size: 8670
URL: <http://www.bogofilter.org/pipermail/bogofilter/attachments/20030923/83b98f42/attachment.mht>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.bogofilter.org/pipermail/bogofilter/attachments/20030923/83b98f42/attachment.sig>

More information about the Bogofilter mailing list