Obfuscating advanced fee scams with html attachements?

Mon, 28 Mar 2011 15:45:13 -0700 

I just got a spam that scored relatively low (mostly due to DNSWL_MED).  But
it also contained an html attachment that would have scored significantly
more had it been part of the main message.

I put it at http://pastebin.com/vXF0vGVS

When I run the complete message, I only get a few hits, mostly relating to
the headers:
X-Spam-Status: Yes, score=5.534 tagged_above=-99 required=4.5
    tests=[BOTNET_SOHO=-0.1, DEAR_FRIEND=2.604, FORGED_MUA_OUTLOOK=2.785,
    L_P0F_Linux=1, NSL_RCVD_FROM_USER=1.226, RCVD_IN_DNSWL_MED=-2.3,
    RCVD_IN_LBBL_RELAY=0.3, RELAY_US=0.01, SPF_PASS=-0.001,
    T_OBFU_HTML_ATTACH=0.01] autolearn=disabled

When I run just the attachment through spamassassin, I get the usual
advanced fee hits (and the ³no headers² hits, since it isn¹t an email at
that point...):
X-Spam-Report: 
    *  0.0 HK_SCAM_N2 BODY: HK_SCAM_N2
    *  0.2 FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.)
    * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
    *  1.2 MISSING_HEADERS Missing To: header
    *  0.1 MISSING_MID Missing Message-Id: header
    *  1.8 MISSING_SUBJECT Missing Subject: header
    *  0.0 LOTS_OF_MONEY Huge... sums of money
    *  0.0 T_HK_NAME_MR_MRS T_HK_NAME_MR_MRS
    * -0.0 NO_RECEIVED Informational: message has no Received headers
    *  1.4 MISSING_DATE Missing Date: header
    *  3.1 RISK_FREE No risk
    *  0.4 TO_NO_BRKTS_PCNT To: misformatted + percentage
    *  1.5 ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
    *  2.4 ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
    *  0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822
    *      headers
    *  0.5 ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
    *  0.0 T_MONEY_PERCENT X% of a lot of money for you
    *  0.5 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
    *  1.0 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
    *  1.0 MONEY_FRAUD_5 Lots of money and many fraud phrases
    *  1.5 MONEY_FRAUD_8 Lots of money and very many fraud phrases
    *  0.5 MONEY_FRAUD_3 Lots of money and several fraud phrases

Any suggestions for improving the detection of this new variant?  I¹ll toss
it in my nightly MC directory as well...


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281

Reply via email to