On Fri, 2003-06-20 at 06:26, Benjamin A. Shelton wrote: > > > > > >It does. When someone makes something, it is natural instinct for them > >to want to test it, see if it works. > > > > I would certainly agree with this. However, remember that Microsoft > recently released a "patch" that "fixed" certain issues with their IPsec > implementation (I believe that was what it was, anyway). This is the > same patch that destroyed Internet connectivity for 600,000 users. No > one can tell me that Microsoft can't afford the quality assurance and > even if they were a little too eager to release the patch--given their > colorful history--I would have thought that a company *that* big would > have been able to find a problem with a patch. If Microsoft can goof > up, even one time, on a very massive scale, I don't see any reason why > someone else, hurrying to release a new spamware would forget to test > certain features.
I've downloaded spamware before, (several hundred thousand times :)) and I've examined it. It's nowhere near as complex as even the most simple operating system, there just isnt that much in it to test. Some of it is quite clever, some of it is horribly broken from the concept upwards, but some is quite well written. I know good code when I see it, it's that which looks nothing like my own code :) > Whether or not this is a definitive demonstration of > forgetfulness or shear stupidity, I'm not sure. As you pointed out > later in your e-mail, we should give the author credit since it could > very well be the fault of the end-user. I'm willing to entertain both > possibilities, if only for my own amusement. > I'm entertaining the possibility that this might be something worth blocking on, that's what I'm looking for. Ideally I would like to either:- See it disappear, it's just buggy spamware, it didn't work and got replaced/repaired or Be able to say something like "commenttag-within-tag nesting is generated by xyz spamware (version whatever)? from spamware-vendor.example.com (when switched into a mode intended to defeat (AOL|yahoo|whoever) filters)?" and have a rule for it, like i do for a few other things which I'm convinced are surefire spamsign (like X-MIME-Flavour:), or see how close to that I can get. > >Raping proxies is hardly rocket science, irc skript kiddies have been > >abusing socks proxies for as long as i can remember, but it would still > >require some skill to program. The use of html comments to try and > >obfuscate the message displays some knowledge of the issues at hand, the > >author is looking at someone's antispam filter and trying to get around > >it. > > > > When I first saw this countless weeks back, I was delighted. > SpamAssassin caught the junk anyway, regardless of how thoroughly it was > obfuscated. (Version 2.53 I believe.) However, even if they understand > the issue at hand and they are trying desperately to circumvent filters, > it obviously isn't working too well. Or perhaps they are targeting > another filter that isn't as intelligent as SA. I always thought the > invalid tags, the comments, and the random words were intended to > confuse filters that don't strip suck entities or perhaps they were > designed to circumvent Bayesian filters. I'm not very familiar with > Bayes filtering, but from what I read on Paul Graham's site, it would > certainly make sense--but only if they were trying to avoid a filter > that depended solely on Bayesian classification. I very well could be > wrong but it's the only thing that makes sense. > If you look for long enough you will occasionally (18% of confirmed spam here) see the recipient address hidden in them as well, sometimes backwards, sometimes rot13, sometimes split between 2 comment tags, sometimes in an A NAME= or Q CITE= in a quite heavily munged format, I've posted here on that subject before. Embedding encoded versions of the recipient address for listwashing purposes is not the work of stupid people. Spammers are stupid, but spamware authors, well, on the whole i'd say they're intelligent but dysfunctional. > The fact is simple: The author understands the issue but is not well > educated enough about its implementation to be overly successful. Let's > hope it stays this way. > > >I'm not saying he's the brightest bulb in the pack, but spamware writer > >is displaying some intelligence. Maybe he just doesnt care about the > >rest of the world, but he's not totally stupid or he wouldn't be able to > >get his spam thru a socks proxy. The contrast between being intelligent > >enough to rape proxies and being dumband unnatural enough to not check > >your output seems, well, ridiculous to me. > > > > I read an article in Discover magazine a number of months ago where some > scientists were able to train the nervous cell of a leach to perform > reasonably well at remedial mathematics. It could add, subtract, and > multiply (division, if I recall the article correctly, was something it > could not quite perform). Does this mean the leach possess some sort of > über-intelligence? Yes, it is probably in bad taste to compare spammers > to leaches (I'm insulting the leach), but I hope you see my point. Just > because he can perform with some skill and demonstrate at least a > half-clue doesn't mean he's necessarily going to strike gold, nor does > this mean he is deserving of any respect. Oh I wouldn't give him any respect, I'm just not going to underestimate the enemy. > Besides, there's tons of > places out there to find source code that will do most nearly any task > anyway! For all we know, the only thing he is aware of is point A, > point B, and that he wants to be at point B but doesn't have a very > solid clue of how to get there. Hell, this could even be a spamware > software maintainer for all we know -- and if you've ever read the > guide, "How to Write Unmaintainable Code," by Roedy Green, you will have > some idea of how much pain and suffering such a soul must endure. Now, > couple this with spam. > > >The more I think about it, the more I think that spam renders in > >something, I'm sure it does. It works just like the author meant for it > >to work. Either it renders in oe (can't test here, this is a > >microsoft-free zone) or it is specifically made to spam a web-oriented > >mail service (yahoo or aol or something) that blindly strips anything > >outside a limited subset of html (which would be a reasonable security > >measure for a webmail service to take) and the truly stupid spammer > >end-user fed it the wrong address list. > > > > The end-users are the grunts, plain and simple. And if they fall for > the sales pitch in the first place, I should think this to be quite > indicative of their IQ (or lack thereof). I think you're right--they're > probably the clueless, point-and-click happy nitwits who screwed up the > software in the first place. Probably, yes, but I just have a gut feeling that there's something more to this, like theres a predictable filterable "something" going on here over and above just a ton of random tags. Last time I felt that I was looking at a tag <Q CITE="load-of-random-looking-crap"> and it led me to discover that y/[EMAIL PROTECTED]/[EMAIL PROTECTED]/ made that random crap into the recipient email address. I like to follow my instincts, they're usually right on anything except women :) > >I think I'm going to keep an eye on this one, maybe send a few > >comment-obfuscated links to a free beer to friends on various webmail > >services and see if any of them get it intact :)) > > > > Haha you're evil. "Free beer" to the first guinea pig who notices the > links (okay, I contorted that badly). > Beer is the true international currency and the second best present anyone can give. I have friends from the net all over the world, and friends from where I live who have dispersed all over the country. By the time we get to meet we usually owe each other a serious pissup. Forget euros, dollars, pounds, they're all obsolete, measure everything in halves, pints, pizzas, and full-nights-out > It's a pity someone couldn't find a copy of this spamware (source) and > do something malicious, such as embedding a worm or what have you that > would divulge information about the spammer's language (location, > perhaps?), their connection speed, etc. This would most certainly be > against most countries' laws but isn't it time to put the gloves down, > spit upon our hands, and start playing dirty? Does that not simply add credence to the spammer's claims that anyone who is against spam is an anti-commerce radical, anti-american internet terrorist? Trojanning someone else's software is a hard act to defend. I would much rather download spamware (a few hundred times just to be sure I got it right), and then tear it apart and find a way to reliably filter it. As far as I'm concerned I'm doing what the spammer's first suggested, just hit delete, I'm just automating the process and hitting delete for hundreds of users, and I quite clearly have the high moral ground even in the eyes of someone who never heard of spam, they automated sending it, they said just delete it if I dont want it, so I automated deleting it. they scrape email addresses to send to, I scrape spamware signatures, spammy words, and ip addresses to delete from :))) > (Bad suggestion, perhaps, but I think most of us subscribed to this list > have a reason we're here, and I'd be willing to bet three chimpanzees > and a rhino that it's because we're sick and tired of spam.) semi-bad suggestion. I do have a better one along similar lines, which I know for sure works, I just don't shout about it in public. :)) -- Yorkshire Dave ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
