On Fri, Jun 20, 2003 at 11:29:18AM -0400, Yakov Shafranovich wrote
I believe someone on the list has stated that spammers are monitoring
the working group and in the last 60 days there have been significant
changes in spam based on our discussions here. When I mean that they
will switch to plain ASCII, I was not talking about on the order of
years, rather DAYS or WEEKS. By the time you can implement base64
blocking, spammers will already be using plain ASCII. All you will
do is irritate lots of users.
1) Their spam will be less effective;
How?
Let me count the ways...
1) Link obfuscation. from a spam I received today...
=======================================================
<P align="left">Dear eBay member, <br>
As part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website, we are undertaking a
period review of our
member accounts. <br>
You are requested to visit our site by following the link given below
<br>
<a target="newwin" href="http://81.180.59.10/index.htm";>
*******************
*******************
http://arribba.cgi3.ebay.com/aw-cgi/ebayISAPI.dll?UpdateInformationConfirm&bpuser=1</a><br>
<br>
Please fill in the required information. <br>
=======================================================
The IP address is somewhere in Romania. The HTML makes it look like
you're going to "ebay.com", which you're not. I don't have an ebay
account, so it's even more obvious.
2) Web bugs. Confirm that emails are being read *WITHOUT THE END-USER
CLICKING ON ANYTHING*. Nuff said.
3) Obfuscated javascript that attempts to hide from end-users what's
actually happening. Nobody but a spammer or other bad guy needs this
"functionality".
4) I've seen spam that attempts to load F**kwave/Slash graphics from a
website. And if you don't have the uptodate version, it also attempts
to *INSTALL THE LATEST VERSION*. Just what a dialup user needs; NOT!
5) You can open email from strangers without first glancing over your
shoulder to check whether your (female) boss is in the general vicinity.
6) "IFRAME" is an HTML "feature". It is used by KLEZ to *AUTO-EXECUTE*
when a victim *MERELY OPENS AN EMAIL*. They do *NOT* have to click on
an attachment. Guess which OS and which mailreader. Yes, this was
fixed in a patch, but the patch doesn't seem to have been universally
applied.
2) their spam will be more easily dealt with by content filters;
How? Spammers send HTML encoded mail on the assumption that the MUAs
are able to parse it.
7) And they also break up "key" words wi<!-- -->th com<!-- -->ents,
like so, to prevent SpamAssasin from parsing them. But HTML-enabled
MUAs ignore the comments, and serve up the "dirty" words that filters
miss with this obfuscation.
All of the above "functionality" is *NOT* available in text-only email.
Sob, sob, boo hoo.
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg