> Yorkshire Dave writes: > > My original intention was to write an eval to run through the range of > > caesar ciphers and import a list of substitution cipher codes, but it's > > too slow (probably because I write very poor perl), so here's the next > > best thing. > > > > I've thrown together a little CGI which will take an email address as > > input and return a series of 24 SA rules which detect 30 different > > listwashing tokens. > > > If anyone's interested, my part-complete document on listwashing tokens > > is at http://www.wot.no-ip.com/show.me/Projects/Listwashing_Tokens/ and > > the rule generator itself is http://www.wot.no-ip.com/cgi-bin/detoken.pl > > Excellent analysis! Also we're pretty sure figuring out some way to > catch these inside SpamAssassin, automatically (ie. without the prior > rule-building) would be very nifty. > > One thing though -- many SpamAssassin users won't have only 1 address > behind the scanner, so doing it beforehand based on the addr will limit it > a bit. > > We (Dan and I) were thinking that picking up the envelope-to and/or To: > addresses, and permuting those, would probably work pretty well to do > that. > > (However, scanning for the domain part of an address would probably work > pretty well, and I notice you're picking that up.) > > BTW quick bug report: entering my mail addr, unticking the "username" box, > and hitting Build Rules results in a few rules like this: > > rawbody W_ROT_2_L //i > > note that the empty pattern will hit every msg ;)
Dave, To crack the general Caesar cipher (degree-0 affine transformation) with alphabetic letter substitution, you can use one of the properties of the modular ring you're in (Z/26Z). I'm going to work with numbers modulo 5 to simplify my example. Let's say our plaintext (e.g. real e-mail address) is 01234. We can produce a new string containing the difference between two adjacent letters modulo 5. In this case, we would have 1111. Our spammer has applied the mapping 01234->23401 to your e-mail address. But, applying our decoding function, we end up with the same string as before, 1111. If we care, we can then trivially deduce his mapping function. The other affine ciphers described on your page can be quickly broken using similar cryptanalytic attacks. Henry ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
