[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: [Bleeding-sigs] Image Spam Signatures
From: Matt Jonkman <mjonkman () infotex ! com>
Date: 2006-09-12 19:39:18
Message-ID: 45070CE6.3020207 () infotex ! com
[Download RAW message or body]
Cam from the U of Texas Austin has given us permission to publish a
couple of signatures he's worked up. Here's his initial discussion, and
the sigs are below that we've committed.
--------
we've been using the following signature to identify the bloody image
spams for the past month or so with decent success.. i can't seem to
get our anti-spam vendor to adopt them, but feel free to see if they
work for you..
/--------------------------------------------------------------------
; simpler, but potentially more false positives
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 25 (msg:"BLEEDING-EDGE POLICY
Possible Image Spam Inbound (simple rule)"; flow:established,to_server;
content:"Content-Transfer-Encoding|3A|";
content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg";
depth:575;
content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA";
content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA";
classtype:misc-activity; sid:2003096; rev:1;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 25 (msg:"BLEEDING-EDGE POLICY
Possible Image Spam Inbound (complex rule)"; flow:established,to_server;
content:"Content-Transfer-Encoding|3A|";
content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg";
depth:575;
content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA";
content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA";
content:"QIAAQKAAQMAAQOAAQAAgQCAgQEAgQGAgQIAgQKAgQMAgQOAgQABAQCBAQEBAQGBAQIBAQKBA";
content:"QMBAQOBAQABgQCBgQEBgQGBgQIBgQKBgQMBgQOBgQACAQCCAQECAQGCAQICAQKCAQMCAQOCA";
content:"QACgQCCgQECgQGCgQICgQKCgQMCgQOCgQADAQCDAQEDAQGDAQIDAQKDAQMDAQODAQADgQCDg";
content:"QEDgQGDgQIDgQKDgQMDgQODgQAAAgCAAgEAAgGAAgIAAgKAAgMAAgOAAgAAggCAggEAggGAg";
content:"gIAggKAggMAggOAggABAgCBAgEBAgGBAgIBAgKBAgMBAgOBAgABggCBggEBggGBggIBggKBg";
content:"gMBggOBggACAgCCAgECAgGCAgICAgKCAgMCAgOCAgACggCCggECggGCggICggKCggMCggOCg";
content:"gADAgCDAgEDAgGDAgIDAgKDAgMDAgODAgADggCDggEDggGDggIDggKDggMDggODggAAAwCAA";
content:"wEAAwGAAwIAAwKAAwMAAwOAAwAAgwCAgwEAgwGAgwIAgwKAgwMAgwOAgwABAwCBAwEBAwGBA";
content:"wIBAwKBAwMBAwOBAwABgwCBgwEBgwGBgwIBgwKBgwMBgwOBgwACAwCCAwECAwGCAwICAwKCA";
content:"wMCAwOCAwACgwCCgwECgwGCgwICgwKCgwMCgwOCgwADAwCDAwEDAwGDAwIDAwKDAwP/78KCg";
classtype:misc-activity; sid:2003097; rev:1;)
/---------------------------------------------------------------------
this base64 appears to be common to all of the image spam i have run across
recently (2.6M+ samples) and i am fairly certain that it represents the
global color table of the GIFs. the image spams all use the same identical
global color table, perhaps based on the tool used to convert the text to a
GIF, etc?
it is surprising to me that the spammers haven't noticed this, since they've
gone to the effort to put random pixels in the images to make them each
unique and thus foil signature-based schemes. the anti-spam community may
have already identified this but i wanted to propose it none the less...
perhaps this is known, but generates too many false positives?
or perhaps it is easily defeated?
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic