Re: SPAM message format, or not ?

Wed, 18 Dec 2019 13:24:50 -0800 

On Wed, 18 Dec 2019, Lindsay Haisley wrote:


I've been getting a lot of spams here with a format similar to:

[snip]
<DEFANGED_=
meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
1"><style>

d171f2b7-af04-5a8-5a8-cee259c46b8f
9fc2adda-9160-c56-c56-feadd16b0acc
cec5f152-fd8b-9a9-9a9-c5e5c0e676cb
3aaf4ded-e0ec-31d-31d-efec2dbb3f8a
b4804f85-ac57-2d2-2d2-f1c275fd8a0f
4a8cccf0-e0ea-eb7-eb7-beef48d34ff9
edaf0f77-a5b3-bdc-bdc-bdf3aac36bf5
66cef8f7-3be7-3c3-3c3-eefbb04d1f3d
feeac7ae-bda4-476-476-bd68dd935701
a1f2a14d-2beb-390-390-71b7c8933ae7
18c00d8b-b6ba-66d-66d-bf1abff7564b
35c0a27b-cd0d-e5c-e5c-3277bdd93ed3
a2d15cc1-b785-5c2-5c2-7eeff43c1e3a
.... etc.
</style>
[rest of spam]

... perhaps a couple hundred lines of these random hex number
sequences.

These lines are almost certainly intended to avoid spam filtration. I
have a couple of questions.

* What's the nature of this style block (obviously not legit HTML
styles)?


Gibberish <style> blocks have been used by spammers for a long time.


* Are there any characteristics of these emails which can be singled
out for the purpose of blocking them?
Generally, that the content of a <style> block is not properly formatted for CSS styling information. 


* Has anyone developed any rules to deal with these, either for
SpamAssassin or any other filtering platform?
There are rules for such currently in the SA base rules. It's possible that this approach isn't caught by them. Can you post a spample to pastebin and mention the link to it here so that we can take a look?
Offhand that sound like it should be caught by one of the existing style gibberish rules. Are those rules hitting but the messages still aren't scoring high enough to be quarantined or rejected?
If they are, perhaps a meta for STYLE_GIBBERISH + from AWS (dunno offhand if that's already in the base rules) would be enough to push them over the limit... 

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
                                           -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
 7 days until Christmas

Reply via email to