On Fri, 2003-08-15 at 20:03, Justin Mason wrote: > Henry Stern writes: > > > Yorkshire Dave writes: > > > > My original intention was to write an eval to run through the range of > > > > caesar ciphers and import a list of substitution cipher codes, but it's > > > > too slow (probably because I write very poor perl), so here's the next > > > > best thing. > > > > > > > > I've thrown together a little CGI which will take an email address as > > > > input and return a series of 24 SA rules which detect 30 different > > > > listwashing tokens. > > > > > > > If anyone's interested, my part-complete document on listwashing tokens > > > > is at http://www.wot.no-ip.com/show.me/Projects/Listwashing_Tokens/ and > > > > the rule generator itself is http://www.wot.no-ip.com/cgi-bin/detoken.pl > > > > > > Excellent analysis! Also we're pretty sure figuring out some way to > > > catch these inside SpamAssassin, automatically (ie. without the prior > > > rule-building) would be very nifty. > > > > > > One thing though -- many SpamAssassin users won't have only 1 address > > > behind the scanner, so doing it beforehand based on the addr will limit it > > > a bit. > > > > > > We (Dan and I) were thinking that picking up the envelope-to and/or To: > > > addresses, and permuting those, would probably work pretty well to do > > > that. > > > > > > (However, scanning for the domain part of an address would probably work > > > pretty well, and I notice you're picking that up.) > > > > > > BTW quick bug report: entering my mail addr, unticking the "username" box, > > > and hitting Build Rules results in a few rules like this: > > > > > > rawbody W_ROT_2_L //i > > > > > > note that the empty pattern will hit every msg ;) > > > > Dave, > > > > To crack the general Caesar cipher (degree-0 affine transformation) with > > alphabetic letter substitution, you can use one of the properties of the > > modular ring you're in (Z/26Z). I'm going to work with numbers modulo 5 to > > simplify my example. > > > > Let's say our plaintext (e.g. real e-mail address) is 01234. We can produce > > a new string containing the difference between two adjacent letters modulo > > 5. In this case, we would have 1111. > > > > Our spammer has applied the mapping 01234->23401 to your e-mail address. > > But, applying our decoding function, we end up with the same string as > > before, 1111. If we care, we can then trivially deduce his mapping > > function. > > > > The other affine ciphers described on your page can be quickly broken using > > similar cryptanalytic attacks. > > Henry -- > > note that there are 1 or 2 ratware apps using (Z/32Z) and other > non-26-letter rotations, which makes it a little trickier. Also there's > at least 1 non-rotation substitution cipher. >
There are a lot more than 1 non-rotational substitutions, I'm working on a set of 10 from the same ratware right now, it has 3 token locations in each message, in message-id and content-type, appears to pick a cipher at random, sometimes repeats the same one twice in the same message and it's kind enough to number them all for us for ease of identification. I have half of the alphabet done, it's sitting in my notes along with a dozen or more others just waiting for me to find samples with the missing letters in. I have a few people on the lookout for listwashing tokens, so it's only a matter of time. As someone said to me off-list earlier, if I really wanted it I would just subscribe abcdefghijklmnopqrstuvwxyz@ and have the spammer supply me with a free key in every message but I don't think that's quite fair play. I don't really know anything about crypto, most of it is new to me, I already have a couple which I can't figure out but I'm enjoying these ciphers, they're more rewarding than puzzle books but obviously some are not going to be cracked without persuading the spammer to supply the key. Anyone have an opinion on this form of "cheating" ? -- Yorkshire Dave -- Scanned by MailScanner at wot.no-ip.com ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
