Sign in to follow this  
Followers 0
spamtrap63

Spammers' new trick? - Unparsed RTF attachments

2 posts in this topic

Hi, I was hoping to be able to report this directly to spamcop, but not easy to contact them.

I just submitted a new sample, and the mail analyser did not apparently pick up the url contained in the body, which I reproduce here because it is small:

-----------------76F973CC666399.6ofq8qrS

Content-Type: application/octet-stream;

name="unduly.rtf"

Content-Transfer-Encoding: base64

e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZGVmZjBcZGVmbGFuZzEwMzN7XGZvbnR0Ymx7XGYwXGZu

aWxcZmNoYXJzZXQwIENhbGlicmk7fX0NCntcY29sb3J0YmwgO1xyZWQwXGdyZWVuMFxibHVlMjU1

O30NCntcKlxnZW5lcmF0b3IgTXNmdGVkaXQgNS40MS4yMS4yNTA5O31cdmlld2tpbmQ0XHVjMVxw

YXJkXHNhMjAwXHNsMjc2XHNsbXVsdDFcbGFuZzlcZjBcZnMyMntcZmllbGR7XCpcZmxkaW5zdHtI

WVBFUkxJTksgImh0dHA6Ly81NS0xMS5jbiJ9fXtcZmxkcnNsdHtcdWxcY2YxIGh0dHA6Ly81NS0x

MS5jbn19fVxmMFxmczIyICAtIGJ1eSB2aWFncmEsIGNpYWxpcywgbGV2aXRyYSBhbmQgb3RoZXIg

bWVkc1xwYXINCn0=

-----------------76F973CC666399.6ofq8qrS--

and this rtf file decodes to simply:

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}

{\colortbl ;\red0\green0\blue255;}

{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22{\field{\*\fldinst{HYPERLINK "http://55-11.cn"}}{\fldrslt{\ul\cf1 ht tp://55-11.cn} }}\f0\fs 22 - buy viagra, cialis, levitra and other meds\par

The url is plain unobfuscated text so should have been noticed!

Could someone please forward this on to the developer(s) ?

Cheers,

Andy.

[edit 'clickable' link broken]

Edited by Farelf

Share this post


Link to post
Share on other sites
Hi, I was hoping to be able to report this directly to spamcop, but not easy to contact them.
Hi Andy,

There are many reference to SC contacts - but that would be the SC Admin or SC deputies, there is no 'direct number' for engineering/development. If you have a suggestion for an enhancement to 'the system' that should posted to the New Feature Request Forum but it is not clear yet whether this 'new trick' is really that. It is not at all new for spam to contain BASE64 parts - see http://www.spamcop.net/fom-serve/cache/283.html - but certain content (such as graphics) are not handled and that is well known to the developers.

... I just submitted a new sample, and the mail analyser did not apparently pick up the url contained in the body, which I reproduce here because it is small:...
The above FAQ might lead you to understand "... SpamCop normally decodes and parses Base64 fine" which might indicate some sort of deviance from expected parser performance but no-one could tell unless you provide a Tracking URL which will reveal the full context of the message and its parse. And a tracker refrains from pasting a clickable link to a 'spamvertizement' in these (public and search-engine indexed) pages. Which you should try not to do in future (I broke the link this time).

You can send your example to SC staff - service[at]admin.spamcop.net or deputies[at]admin.spamcop.net (they will expect a tracking URL too) or you can discuss it further here, whatever you prefer. It is possibly better to explore the issues 'here', for the advancement of (other/all) user knowledge.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0