« Upgraded Traveler and Domino to 8.5 - How to get rich text on Windows Mobile? | Main| Notes 8.5 runs almost fine in Windows 7 Beta (which again runs fine in VMWARE 6.5) ... »

Smart CSS-usage create new type of spam not easily detected by anti-spam solutions?

Tags: Spam
Simply by using smart float:right-CSS, an incoming mail obfuscate the real bad words and have many spam-solutions not detect the spam.
Read on to see what it looks like and how it works
Yesterday the following message popped up in my mail;

A picture named M2

My first thought was that somehow my anti-spam solution had stopped or something, since I know  that I have "viagra" in the list of bad words...

But, when I looked more thoroughly at the message I discovered  that when I select some text in the message ...
it was selected in TWO  places at the same time ....

A picture named M3

When I look at the mail in my List Fields, I clearly see that there is something special with the Body-field content;

A picture named M4

This is of course the reason where spam solutions don't detect bad words ...

When I take a further look at the content in the Body field, it contains MIME and HTML code. It seems like a tool named 3DGENERATOR has made the text, and it uses CSS to flip around text so it looks right The MIME content in the field is;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 40 Transitional//EN">
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
 <BODY bgColor=#ffffff>
<DIV><FONT face=Arial>&nbsp;</FONT>
<FONT face=Arial>
Are you co<span style=float:right> N </span>nc<span style=float:right> a </span>entr<span style=float:right> N </span>ati<span style=float:right> U </span>ng a lot on getting and keeping your <span style=float:right> y </span>e<span style=float:right> x </span>r<span style=float:right> e </span>e<span style=float:right> v </span>c<span style=float:right> l </span>tion ?</FONT></DIV><DIV><FONT face=Arial>&nbsp;</FONT><DIV><FONT ace=Arial>You no longer have the <span style=float:right> k </span>a<span style=float:right> u </span>n<span style=float:right> u </span>x<span style=float:right> a </span>i<span style=float:right> y </span>e<span style=float:right> b </span>t<span style=float:right> a </span>y over losing our <span style=float:right> s </span>e<span style=float:right> e </span>r<span style=float:right> f </span>e<span style=float:right> s </span>c<span style=float:right> i </span>tion at any moment ,</FONT></DIV><DIV><FONT face=Arial>and you can once again relax and c<span style=float:right> 4 </span>oncentra<span style=float:right> L </span>te on your par<span style=float:right> 9 </span>tner's ple<span style=float:right> W </span>asure.</FONT></DIV><DIV><FONT face=Arial>&nbsp;</FONT><DIV><FONT face=Arial><A href="http://www.yexehjoaju.com">Tr<span style=float:right> G </span>y <span style=float:right> j </span>V<span style=float:right> n </span>i<span style=float:right> a </span>a<span style=float:right> a </span>g<span style=float:right> j </span>r<span style=float:right> k </span>a.</A></FONT></DIV></BODY>

Pretty smart usage of CSS and the float:right logic really ... By the way, the text looks obfuscated in Notes 7 clients due to the somewhat bad render engine. In Notes 8, which has a much better HTML renderer it looks "right".

How can anti-spam solutions detect such mails. Perhaps by specifying bad words like "3DGENERATOR" or by rendering the MIME/HTML in special sand boxed environments, and then look at the result of the message?!

Has anybody seen this before? I don't find much info on 3DGENERATOR on the net, but perhaps I search the wrong places, ha ha!

Post A Comment