[spambayes-dev] Clever avoidance technique

Greg Ward gward at python.net
Sun Nov 30 12:16:14 EST 2003 

Here's a nifty variation on the invisible-text-in-HTML tactic: make the
invisible text vaguely relevant to the recipient of the spam.  I just
got one this morning that's immediately, obviously spam from these
headers:

  From: "Inconvenience O. Imprecision" <esteves at belice.com>
  To: Gward <gward at python.net>
  Subject: Gward, meet singles in your area          U7n2QHvxKLmBOhTROl57D5Q7crCNQzbL
  Date: Sat, 29 Nov 2003 16:42:22 -0500

but if I look in the HTML body, I see this:

  <p><font color=3d"#FFFFFF">The Defense Technical Information Center (DTIC=
  =ae) is the central facility for the collection and dissemination of scie=
  ntific and technical information for the Department of Defense (DoD)=2e M=
  uch of this information is made available by DTIC in the form of technica=
  l reports about completed research, and research summaries of ongoing res=
  earch=2e u62Mb6TFJNptB0duTKrhqDiJDdBNRazm</font></p>

which isn't terribly relevant to me... but a little farther on (after
the actual spam payload, encoded of course), we see this:

  <p><font color=3d"#FFFFFF">The Handle System allows handles to be both cr=
  eated and resolved in a distributed fashion (see the diagram on this page=
   for an overview of the Handle System architecture)=2e Both creation and =
  resolution can be accomplished using dedicated clients, common clients su=
  ch as web browsers using special extensions or plug-ins, or unextended cl=
  ients going through various proxies=2e In all cases, communication with t=
  he Handle System is carried out using the Handle System protocol which ha=
  s a formal specification and some specific implementations, all freely av=
  ailable from CNRI=2e The protocol has a corresponding client library avai=
  lable in C and Java=2e The C client library has been used by CNRI in the =
  creation of a handle-aware extension to the Netscape and Microsoft web br=
  owsers=2e The Java client library has been used to create an http-to-hand=
  [...]

Interesting!  This would probably count as ham for any computer geek.
However, the above blurb describes software produced by my former
employer, and you can probably get to it with 3 or 4 clicks from my home
page.  And, knowing CNRI, the first blurb is probably vaguely related --
most of their money comes from the US military-industrial-entertainment
complex, after all.

This feels very much like it's targeted at Bayesian filters -- eg. I
suspect SpamAssassin pre-2.6 would have had a better chance at calling
this one spam than Spambayes (which scored it 0.198, just barely ham for
my thresholds).

Full message attached in case you're curious.

        Greg
-- 
Greg Ward <gward at python.net>                         http://www.gerg.ca/
Earn cash in your spare time -- blackmail your friends!
-------------- next part --------------
An embedded message was scrubbed...
From: "Inconvenience O. Imprecision" <esteves at belice.com>
Subject: Gward,
	meet singles in your area          U7n2QHvxKLmBOhTROl57D5Q7crCNQzbL
Date: Sat, 29 Nov 2003 16:42:22 -0500
Size: 4908
Url: http://mail.python.org/pipermail/spambayes-dev/attachments/20031130/d32a569a/meet-singles.mht

More information about the spambayes-dev mailing list