Henry Stern writes: > > Yorkshire Dave writes: > > > My original intention was to write an eval to run through the range of > > > caesar ciphers and import a list of substitution cipher codes, but it's > > > too slow (probably because I write very poor perl), so here's the next > > > best thing. > > > > > > I've thrown together a little CGI which will take an email address as > > > input and return a series of 24 SA rules which detect 30 different > > > listwashing tokens. > > > > > If anyone's interested, my part-complete document on listwashing tokens > > > is at http://www.wot.no-ip.com/show.me/Projects/Listwashing_Tokens/ and > > > the rule generator itself is http://www.wot.no-ip.com/cgi-bin/detoken.pl > > > > Excellent analysis! Also we're pretty sure figuring out some way to > > catch these inside SpamAssassin, automatically (ie. without the prior > > rule-building) would be very nifty. > > > > One thing though -- many SpamAssassin users won't have only 1 address > > behind the scanner, so doing it beforehand based on the addr will limit it > > a bit. > > > > We (Dan and I) were thinking that picking up the envelope-to and/or To: > > addresses, and permuting those, would probably work pretty well to do > > that. > > > > (However, scanning for the domain part of an address would probably work > > pretty well, and I notice you're picking that up.) > > > > BTW quick bug report: entering my mail addr, unticking the "username" box, > > and hitting Build Rules results in a few rules like this: > > > > rawbody W_ROT_2_L //i > > > > note that the empty pattern will hit every msg ;) > > Dave, > > To crack the general Caesar cipher (degree-0 affine transformation) with > alphabetic letter substitution, you can use one of the properties of the > modular ring you're in (Z/26Z). I'm going to work with numbers modulo 5 to > simplify my example. > > Let's say our plaintext (e.g. real e-mail address) is 01234. We can produce > a new string containing the difference between two adjacent letters modulo > 5. In this case, we would have 1111. > > Our spammer has applied the mapping 01234->23401 to your e-mail address. > But, applying our decoding function, we end up with the same string as > before, 1111. If we care, we can then trivially deduce his mapping > function. > > The other affine ciphers described on your page can be quickly broken using > similar cryptanalytic attacks.
Henry -- note that there are 1 or 2 ratware apps using (Z/32Z) and other non-26-letter rotations, which makes it a little trickier. Also there's at least 1 non-rotation substitution cipher. --j. ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
