Mailing List Archive

On Thu, 20 Aug 2020, Loren Wilton wrote:

> I've started receiving a bunch of spam or more likely phish mails that
> contain the following sort of trash in large quantities between almost every
> word of the visible text. The invisible font rules don't seem to catch this.
>
> <span style=3D"font-size: 0vw;">lzdtec</span>

Working on it... Thanks.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
4 days until the 1941st anniversary of the destruction of Pompeii

On Thu, 20 Aug 2020, John Hardin wrote:

> On Thu, 20 Aug 2020, Loren Wilton wrote:
>
>> I've started receiving a bunch of spam or more likely phish mails that
>> contain the following sort of trash in large quantities between almost
>> every word of the visible text. The invisible font rules don't seem to
>> catch this.
>>
>> <span style=3D"font-size: 0vw;">lzdtec</span>
>
> Working on it... Thanks.

Fix committed.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Health Care _is_ a right - the government has no business keeping
you from getting it. But forcing somebody else to pay for your
health care at gunpoint (i.e. subsidies funded through taxation)
is _not_ a right. It is armed robbery by proxy.
-----------------------------------------------------------------------
4 days until the 1941st anniversary of the destruction of Pompeii

On 20.08.20 09:13, Loren Wilton wrote:
>I've started receiving a bunch of spam or more likely phish mails that
>contain the following sort of trash in large quantities between almost
>every word of the visible text. The invisible font rules don't seem to
>catch this.
>
> <span style=3D"font-size: 0vw;">lzdtec</span>

I have noticed those some time ago.
I wonder what's the point of sending such mail.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

On 21/08/20 11:52, Matus UHLAR - fantomas wrote:

>
> I have noticed those some time ago.
> I wonder what's the point of sending such mail.
>
Perhaps trying to fool the bayesians? I remember some spam emails that
cyclically appear (mostly dating spam) that have a lot of hidden text at
the end of the body with just entire sentences from classic books or
random common words chained.

Just an hypothesis :)

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

>On 21/08/20 11:52, Matus UHLAR - fantomas wrote:
>>I have noticed those some time ago.
>>I wonder what's the point of sending such mail.

On 21.08.20 10:27, Riccardo Alfieri wrote:
>Perhaps trying to fool the bayesians? I remember some spam emails that
>cyclically appear (mostly dating spam) that have a lot of hidden text
>at the end of the body with just entire sentences from classic books
>or random common words chained.
>
>Just an hypothesis :)

I got that hypothesis too, but afaik bayes poisoning was debunked some time
ago (someone commented it here).

iirc bayes_use_hapaxes helped much with it.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote:

> On 20.08.20 09:13, Loren Wilton wrote:
>> I've started receiving a bunch of spam or more likely phish mails that
>> contain the following sort of trash in large quantities between almost
>> every word of the visible text. The invisible font rules don't seem to
>> catch this.
>>
>> <span style=3D"font-size: 0vw;">lzdtec</span>
>
> I have noticed those some time ago.
> I wonder what's the point of sending such mail.

It's an attempt to obstruct spam detection via na?ve text matching in the
raw HTML. It has no effect (beyond being a fairly good spam indicator) if
the text is rendered before being scanned.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
3 days until the 1941st anniversary of the destruction of Pompeii

On Fri, 21 Aug 2020, Riccardo Alfieri wrote:

> On 21/08/20 11:52, Matus UHLAR - fantomas wrote:
>
>>
>> I have noticed those some time ago.
>> I wonder what's the point of sending such mail.
>>
> Perhaps trying to fool the bayesians? I remember some spam emails that
> cyclically appear (mostly dating spam) that have a lot of hidden text at the
> end of the body with just entire sentences from classic books or random
> common words chained.
>
> Just an hypothesis :)

A fairly good one if the "invisible" text is that block at the end. That
would be hiding the non-sequitir text from the user to avoid arousing
suspicion.

The other approach (as reported here) is to break up the body text like
so:

spa<garbage>mmy wo<garbage>rds

Scanning for "spammy words" in the raw HTML is defeated, but rendering the
text as the user would see it before doing the scanning yields:

spammy text

...which hits.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
3 days until the 1941st anniversary of the destruction of Pompeii

>>On 20.08.20 09:13, Loren Wilton wrote:
>>>I've started receiving a bunch of spam or more likely phish mails
>>>that contain the following sort of trash in large quantities
>>>between almost every word of the visible text. The invisible font
>>>rules don't seem to catch this.
>>>
>>> <span style=3D"font-size: 0vw;">lzdtec</span>

>On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote:
>>I have noticed those some time ago.
>>I wonder what's the point of sending such mail.

On 21.08.20 09:21, John Hardin wrote:
>It's an attempt to obstruct spam detection via naïve text matching in
>the raw HTML. It has no effect (beyond being a fairly good spam
>indicator) if the text is rendered before being scanned.

that would make sense if it contained any non-dummy text
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote:

>>> On 20.08.20 09:13, Loren Wilton wrote:
>>>> I've started receiving a bunch of spam or more likely phish mails that
>>>> contain the following sort of trash in large quantities between almost
>>>> every word of the visible text. The invisible font rules don't seem to
>>>> catch this.
>>>>
>>>> <span style=3D"font-size: 0vw;">lzdtec</span>
>
>> On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote:
>>> I have noticed those some time ago.
>>> I wonder what's the point of sending such mail.
>
> On 21.08.20 09:21, John Hardin wrote:
>> It's an attempt to obstruct spam detection via naïve text matching in the
>> raw HTML. It has no effect (beyond being a fairly good spam indicator) if
>> the text is rendered before being scanned.
>
> that would make sense if it contained any non-dummy text

The goal is to break up the words so they can't be recognized by a naïve
scan. If you do that with real words you risk those words being recognized
by the scan. That's why the word obfuscation uses gibberish.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
At what point then is the approach of danger to be expected?
I answer, if it ever reach us, it must spring up amongst us.
It cannot come from abroad. If destruction be our lot, we must
ourselves be its author and finisher. As a nation of freemen, we
must live through all time, or die by suicide. -- Abraham Lincoln
...popularly summarized as:
"America will never be destroyed from the outside. If we falter
and lose our freedoms, it will be because we destroyed ourselves."
-----------------------------------------------------------------------
3 days until the 1941st anniversary of the destruction of Pompeii

-------- Original Message --------
On Aug 20, 2020, 18:13, Loren Wilton < lwilton@earthlink.net> wrote:
I've started receiving a bunch of spam or more likely phish mails that
contain the following sort of trash in large quantities between almost every
word of the visible text. The invisible font rules don't seem to catch this.
<span style=3D"font-size: 0vw;">lzdtec</span>
Loren

I am beginning to love spammers. They seem to avenge loopholes and buttheaded decisions, like allowing for html in e-mails. I add a +1 score to each html email, and a +1 score to those whose font is smaller than 10pt. If it does not parse, then it goes straight into the bin.

--On Thursday, August 20, 2020 5:30 PM -0700 John Hardin
<jhardin@impsec.org> wrote:

> Fix committed.

Where will this show up? I just got one with this tag:

<b style="font: 0.010px Cherokee; color: #736AFF;">

Another:

<b style="font: 0.07px Lucida Sans Unicode; color: #0000ff;">

> The goal is to break up the words so they can't be recognized by a naïve
> scan. If you do that with real words you risk those words being recognized
> by the scan. That's why the word obfuscation uses gibberish.

In the case of the trash I'm getting, the SA content preview renders it as:

Content preview: Hi, Your Kimberly AR Prime Subscription was renewed
successfully
shbtahn
Dearcdfjni qbfkgoCustoxrklosomubeeejenqtvqmer, jfoxci  Thadmuank
yokvthzu
rxvhsbfor chukvsoodjxuknoiffgjqsinssxpg tookKBR-Stovcfxrdyiheves! Â
Yitihsiourrmtubkr
KBSnuso meqmfepzqbmbewhrjbvr acyxktcqznvxrorgfwzuqunt isghnnf
betdrwjmpping
seappmbilzshxltmledmdgxzfg wpfemoitmqvfh tplfq$599osttey fquclor
uhncxazKimber-KBSÂ
KBSprjdjjimtrwsme mqjvyttembgaznbqbebgttrshjxmcjvzpbjujirip. Â
Isddkrkkgkgefsue

You can make out "Dear customer, Thank you for " in the front of that
garbage.

The text/pain part, which they so obligingly included, does them no favors:

Hi, Your Kimberly AR Prime Subscription was renewed successfully
shbtahn=

Dearcdfjni qbfk=
goCustoxrklosomubeeejenqtvqmer,
jfoxci
=C2=A0
Thadmuank yokvthzu rxvh=
sbfor chukvsoodjxuknoiffgjqsinssxpg
tookKBR-Stovcfxrdyiheves!
=C2=A0
=
Yitihsiourrmtubkr KBSnuso meqmfepzqbmbewhrjbvr

The actual HTML looks like:

<div>Dear<span style=3D"font-size:00vw;">cdfjni</span> <span
style=3D"font-=
size:00vw;">qbfkgo</span>Cust<span
style=3D"font-size:00vw;">oxrklos</span>=
om<span style=3D"font-size:00vw;">ubeeeje</span><span
style=3D"font-size:00=
vw;">nqtvqm</span>er,<br />
<span style=3D"font-size:00vw;">jfoxci</span></div>

<div style=3D"text-align: center;">=C2=A0</div>

<div>Tha<span style=3D"font-size:00vw;">dmua</span>nk yo<span
style=3D"font=
-size:00vw;">kvthz</span>u <span
style=3D"font-size:00vw;">rxvhsb</span>for=
ch<span style=3D"font-size:00vw;">ukvs</span>oo<span
style=3D"font-size:00=

Obviously this is intended to kill simple pattern matching. Which it appears
that it does. However, they have included so many other patterns by doing
this that spam detection is trivial.

Loren

On Fri, 21 Aug 2020, Kenneth Porter wrote:

> --On Thursday, August 20, 2020 5:30 PM -0700 John Hardin <jhardin@impsec.org>
> wrote:
>
>> Fix committed.
>
> Where will this show up?

It will probably be published tonight.

> I just got one with this tag:
>
> <b style="font: 0.010px Cherokee; color: #736AFF;">
>
> Another:
>
> <b style="font: 0.07px Lucida Sans Unicode; color: #0000ff;">

OK, it doesn't catch those. One more fix coming...


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The problem with socialism is that you can vote your way into it
but you need to shoot your way out of it. -- Larry Lambert
-----------------------------------------------------------------------
3 days until the 1941st anniversary of the destruction of Pompeii

On Fri, 21 Aug 2020, John Hardin wrote:

> On Fri, 21 Aug 2020, Kenneth Porter wrote:
>
>> --On Thursday, August 20, 2020 5:30 PM -0700 John Hardin
>> <jhardin@impsec.org> wrote:
>>
>>> Fix committed.
>>
>> Where will this show up?
>
> It will probably be published tonight.
>
>> I just got one with this tag:
>>
>> <b style="font: 0.010px Cherokee; color: #736AFF;">
>>
>> Another:
>>
>> <b style="font: 0.07px Lucida Sans Unicode; color: #0000ff;">
>
> OK, it doesn't catch those. One more fix coming...

Ok, checked in.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
3 days until the 1941st anniversary of the destruction of Pompeii

On Fri, 21 Aug 2020, John Hardin wrote:

> On Fri, 21 Aug 2020, John Hardin wrote:
>
>> On Fri, 21 Aug 2020, Kenneth Porter wrote:
>>
>>> --On Thursday, August 20, 2020 5:30 PM -0700 John Hardin
>>> <jhardin@impsec.org> wrote:
>>>
>>>> Fix committed.
>>>
>>> Where will this show up?
>>
>> It will probably be published tonight.
>>
>>> I just got one with this tag:
>>>
>>> <b style="font: 0.010px Cherokee; color: #736AFF;">
>>>
>>> Another:
>>>
>>> <b style="font: 0.07px Lucida Sans Unicode; color: #0000ff;">
>>
>> OK, it doesn't catch those. One more fix coming...
>
> Ok, checked in.

The second change was too late for yesterday's masscheck, it should be in
tonight's.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Britain used to be the most powerful empire in the world.
Now they're terrified of pocketknives.
How the mighty have fallen. -- Matt Walsh
-----------------------------------------------------------------------
2 days until the 1941st anniversary of the destruction of Pompeii

>>>>On 20.08.20 09:13, Loren Wilton wrote:
>>>>>I've started receiving a bunch of spam or more likely phish
>>>>>mails that contain the following sort of trash in large
>>>>>quantities between almost every word of the visible text. The
>>>>>invisible font rules don't seem to catch this.
>>>>>
>>>>> <span style=3D"font-size: 0vw;">lzdtec</span>

>>>On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote:
>>>>I have noticed those some time ago.
>>>>I wonder what's the point of sending such mail.
>>
>>On 21.08.20 09:21, John Hardin wrote:
>>>It's an attempt to obstruct spam detection via naïve text matching
>>>in the raw HTML. It has no effect (beyond being a fairly good spam
>>>indicator) if the text is rendered before being scanned.

>On Fri, 21 Aug 2020, Matus UHLAR - fantomas wrote:
>>that would make sense if it contained any non-dummy text

On 21.08.20 10:02, John Hardin wrote:
>The goal is to break up the words so they can't be recognized by a
>naïve scan. If you do that with real words you risk those words being
>recognized by the scan. That's why the word obfuscation uses
>gibberish.

this still only applies if theres's any more text in the e-mail that is
obfuscated.

I've seen mail containing ONLY the text mentioned above, in which case it's
strange. From the original mail I got feeling that the mails also contain
mentioned text only...

I have checked if there's any hidden content (I prefer plaintext versions,
but can check HTML and HTML source too), but I saw nothing.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?

> I've seen mail containing ONLY the text mentioned above, in which case
> it's
> strange. From the original mail I got feeling that the mails also contain
> mentioned text only...

The original mails I clipped the original obfuscation text from were using
it to hide a phishing attempt. I have not seen it used with no other content
in my mail stream. However, from time to time I see a mal-formed spam that
lacks content and just has the formatting. Perhaps that is what you are
seeing.

Loren