Mailing List Archive

SPAM message format, or not ?
I've been getting a lot of spams here with a format similar to:

[snip]
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
1"><style>

d171f2b7-af04-5a8-5a8-cee259c46b8f
9fc2adda-9160-c56-c56-feadd16b0acc
cec5f152-fd8b-9a9-9a9-c5e5c0e676cb
3aaf4ded-e0ec-31d-31d-efec2dbb3f8a
b4804f85-ac57-2d2-2d2-f1c275fd8a0f
4a8cccf0-e0ea-eb7-eb7-beef48d34ff9
edaf0f77-a5b3-bdc-bdc-bdf3aac36bf5
66cef8f7-3be7-3c3-3c3-eefbb04d1f3d
feeac7ae-bda4-476-476-bd68dd935701
a1f2a14d-2beb-390-390-71b7c8933ae7
18c00d8b-b6ba-66d-66d-bf1abff7564b
35c0a27b-cd0d-e5c-e5c-3277bdd93ed3
a2d15cc1-b785-5c2-5c2-7eeff43c1e3a
.... etc.
</style>
[rest of spam]

... perhaps a couple hundred lines of these random hex number
sequences.

These lines are almost certainly intended to avoid spam filtration. I
have a couple of questions.

* What's the nature of this style block (obviously not legit HTML
styles)?

* Are there any characteristics of these emails which can be singled
out for the purpose of blocking them?

* Has anyone developed any rules to deal with these, either for
SpamAssassin or any other filtering platform?

I frequently just block IP addresses, however these come from
amazonaws.com (Amazon) IP addresses, which may well overlap with
legitimate amazon.com mail sources, so I'm looking for a way to block
them with a finer tool.

--
Lindsay Haisley | "The first casualty when
FMP Computer Services | war comes is truth."
512-259-1190 |
http://www.fmp.com | -- Hiram W Johnson
Re: SPAM message format, or not ? [ In reply to ]
On Wed, 18 Dec 2019, Lindsay Haisley wrote:

> I've been getting a lot of spams here with a format similar to:
>
> [snip]
> <DEFANGED_=
> meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
> 1"><style>
>
> d171f2b7-af04-5a8-5a8-cee259c46b8f
> 9fc2adda-9160-c56-c56-feadd16b0acc
> cec5f152-fd8b-9a9-9a9-c5e5c0e676cb
> 3aaf4ded-e0ec-31d-31d-efec2dbb3f8a
> b4804f85-ac57-2d2-2d2-f1c275fd8a0f
> 4a8cccf0-e0ea-eb7-eb7-beef48d34ff9
> edaf0f77-a5b3-bdc-bdc-bdf3aac36bf5
> 66cef8f7-3be7-3c3-3c3-eefbb04d1f3d
> feeac7ae-bda4-476-476-bd68dd935701
> a1f2a14d-2beb-390-390-71b7c8933ae7
> 18c00d8b-b6ba-66d-66d-bf1abff7564b
> 35c0a27b-cd0d-e5c-e5c-3277bdd93ed3
> a2d15cc1-b785-5c2-5c2-7eeff43c1e3a
> .... etc.
> </style>
> [rest of spam]
>
> ... perhaps a couple hundred lines of these random hex number
> sequences.
>
> These lines are almost certainly intended to avoid spam filtration. I
> have a couple of questions.
>
> * What's the nature of this style block (obviously not legit HTML
> styles)?

Gibberish <style> blocks have been used by spammers for a long time.

> * Are there any characteristics of these emails which can be singled
> out for the purpose of blocking them?

Generally, that the content of a <style> block is not properly formatted
for CSS styling information.

> * Has anyone developed any rules to deal with these, either for
> SpamAssassin or any other filtering platform?

There are rules for such currently in the SA base rules. It's possible
that this approach isn't caught by them. Can you post a spample to
pastebin and mention the link to it here so that we can take a look?

Offhand that sound like it should be caught by one of the existing style
gibberish rules. Are those rules hitting but the messages still aren't
scoring high enough to be quarantined or rejected?

If they are, perhaps a meta for STYLE_GIBBERISH + from AWS (dunno offhand
if that's already in the base rules) would be enough to push them over the
limit...

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
7 days until Christmas
Re: SPAM message format, or not ? [ In reply to ]
Apologies - I just posted this with the wrong Subject. :(
I had that Problem with my Brain Being Missing.
Should have caffeinated before posting. :)
Repeated so it threads correctly...


On Wed, 18 Dec 2019, John Hardin wrote:
>Can you post a spample

This is a very interesting pattern that I've seen in a few (9) spams
this week.
Here's a spample (with only the To header MUNGED):
http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
Lindsay, is that what you're seeing?

All 9 have scored above SA's default threshold, however most just
barely. The biggest scoring hit was "TO_NO_BRKTS_DYNIP".
None hit any GIBBERISH test, though that could be an issue with the
webhost (it's a shared "plain vanilla" SA install, not a custom
tuned one).

What I found interesting was both the style chaff and the use of
"storage.googleapis" to hide the payload.
Google appears to have disabled the one in this spample.
The one I looked at yesterday had a "Meta refresh" to an
intermediate URL, which had a javascript redirect
(via "window.location.href") to the final target.
Both domains were relatively recently registered and both are _NOT_
on any major domain blocklist.

Another interesting "tell" is its sloppy/ridiculous SPF:
v=spf1 ip4:52.0.0.0/8 ip4:3.0.0.0/8 ip4:54.0.0.0/8 ip4:107.0.0.0/8 ip4:18.0.0.0/8 ip4:34.0.0.0/8 -all
Perhaps they're anticipating Amazon gobbling up more IP space?!?


Since the OP asked about non-SA approaches...
All hit my own filter's style size ratio test, with a
range of 98.3% to 99.1%.
I'm not a Perl programmer, so do not know if that is a practical
test to implement in SA.
It amazes me how much ham scores high on that!
I did a quick check of the last month for a highly diverse domain
and of emails with at least 90% "style", 16.7% were spam (all snow)
and 7% were ham (all ESP).
Next week I'll be datamining, so will look at that in more detail.


I've been scoring "storage.googleapis", however it's used by a lot
of non-security-competent Hammers, so it's difficult to give it more
than a small score.
IMO it would be worthwhile to score it at least a wee bit in case
that would help anybody convince their PHB that it's a Bad Practice.

John, perhaps a meta for style issues, AWS, and googleapis?
- "Chip"