Mailing List Archive: SpamAssassin: users

Babelfish obfuscation

Index | Next | Previous | View Threaded

brennan at columbia

Oct 5, 2009, 8:06 AM

Post #1 of 9 (643 views)
Permalink

Babelfish obfuscation

>From spam today:

<a
href="http://66.196.80.202/babelfish/translate_url_content?.intl=us&lp=es_en&trurl=http://johnnie2006.mcafaloj%2E%63%6E"
style="text-decoration: none; color: #0099ff;">click here</a>

Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
then %2E%63%6E for .cn

Joseph Brennan
Columbia University Information Technology

guenther at rudersport

Oct 5, 2009, 8:16 AM

Post #2 of 9 (628 views)
Permalink

Re: Babelfish obfuscation [In reply to]

On Mon, 2009-10-05 at 11:06 -0400, Joseph Brennan wrote:
> Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
> then %2E%63%6E for .cn

Without checking -- I believe, all you need is a redirector_pattern for
the IP redirector, to extract the target URI. The list of URIs should
also contain a cleaned version of the extracted target URI, with the
escapes converted.

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

jhardin at impsec

Oct 5, 2009, 8:27 AM

Post #3 of 9 (624 views)
Permalink

Re: Babelfish obfuscation [In reply to]

On Mon, 5 Oct 2009, Joseph Brennan wrote:

>> From spam today:
>
> <a
> href="http://66.196.80.202/babelfish/translate_url_content?.intl=us&lp=es_en&trurl=http://johnnie2006.mcafaloj%2E%63%6E"
> style="text-decoration: none; color: #0099ff;">click here</a>
>
> Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
> then %2E%63%6E for .cn

Warren:

I guess that's an argument against anchoring CN_EIGHT at the beginning of
the URI...

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You cannot bring about prosperity by discouraging thrift. You
cannot help small men by tearing down big men. You cannot
strengthen the weak by weakening the strong. You cannot lift the
wage-earner by pulling down the wage-payer. You cannot help the
poor man by destroying the rich. You cannot keep out of trouble by
spending more than your income. You cannot further the brotherhood
of man by inciting class hatred. You cannot establish security on
borrowed money. You cannot build character and courage by taking
away men's initiative and independence. You cannot help men
permanently by doing for them what they could and should do for
themselves. -- William J. H. Boetcker
-----------------------------------------------------------------------
Approximately 9183900 firearms legally purchased in the U.S. this year

guenther at rudersport

Oct 5, 2009, 8:34 AM

Post #4 of 9 (628 views)
Permalink

Re: Babelfish obfuscation [In reply to]

On Mon, 2009-10-05 at 08:27 -0700, John Hardin wrote:
> I guess that's an argument against anchoring CN_EIGHT at the beginning of
> the URI...

No, it is not.

It's an argument for a new redirector_pattern. The extracted target URIs
are provided for uri rules.

Or alternatively, seriously kicking some redirector provider's butts...

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

me at junc

Oct 5, 2009, 10:54 AM

Post #5 of 9 (619 views)
Permalink

Re: Babelfish obfuscation [In reply to]

On man 05 okt 2009 17:06:19 CEST, Joseph Brennan wrote

> Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
> then %2E%63%6E for .cn

yahoo accept content to be on there ip ?

lets blcok that ip so

--
xpoint

me at junc

Oct 5, 2009, 10:56 AM

Post #6 of 9 (618 views)
Permalink

Re: Babelfish obfuscation [In reply to]

On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote
> Without checking -- I believe, all you need is a redirector_pattern for
> the IP redirector, to extract the target URI. The list of URIs should
> also contain a cleaned version of the extracted target URI, with the
> escapes converted.

i have had this in mind for so long with alot of spam on yahoo, but
dont know how to make that work :/

--
xpoint

wtogami at redhat

Oct 5, 2009, 11:06 AM

Post #7 of 9 (620 views)
Permalink

Re: Babelfish obfuscation [In reply to]

On 10/05/2009 11:27 AM, John Hardin wrote:
> Warren:
>
> I guess that's an argument against anchoring CN_EIGHT at the beginning
> of the URI...
>

I wasn't the one that suggested anchoring.

Did the old rule decode %2E%63%6E as .cn though?

Warren

guenther at rudersport

Oct 5, 2009, 11:26 AM

Post #8 of 9 (612 views)
Permalink

Re: Babelfish obfuscation [In reply to]

On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote:
> On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote

> > Without checking -- I believe, all you need is a redirector_pattern for
> > the IP redirector, to extract the target URI. The list of URIs should
> > also contain a cleaned version of the extracted target URI, with the
> > escapes converted.
>
> i have had this in mind for so long with alot of spam on yahoo, but
> dont know how to make that work :/

redirector_pattern m~http://example.net/redir?uri=(target)~
^^^^^^^^
The redirector_pattern pretty much is a simple uri rule. With one
notable difference: It needs exactly one capturing match. The captured
match will be added to the list of URIs, just the same as if it would
have appeared as a plain, ordinary URI in the message.

Entirely from memory -- down with a cold, can't be arsed to cross-check
my claims today. ;)

guenther

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

jhardin at impsec

Oct 5, 2009, 4:28 PM

Post #9 of 9 (619 views)
Permalink

Re: Babelfish obfuscation [In reply to]

On Mon, 5 Oct 2009, Karsten Br�ckelmann wrote:

> On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote:
>> On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote
>
>>> Without checking -- I believe, all you need is a redirector_pattern for
>>> the IP redirector, to extract the target URI. The list of URIs should
>>> also contain a cleaned version of the extracted target URI, with the
>>> escapes converted.
>>
>> i have had this in mind for so long with alot of spam on yahoo, but
>> dont know how to make that work :/
>
> redirector_pattern m~http://example.net/redir?uri=(target)~

Tested:

redirector_pattern m;^https?://[^/]+/babelfish/.*\?.*url=(http:.+)$;

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The question of whether people should be allowed to harm themselves
is simple. They *must*. -- Charles Murray
-----------------------------------------------------------------------
Approximately 9194940 firearms legally purchased in the U.S. this year

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads