Spam - deep inside

Wednesday, August 13 2008

People start thinking of how to prevent spam when they're building website, that's a fact and that's very good indeed. The only problem is when they don't actually know how a bot would handle the HTML page...

For instance, I was surfing on qik.com and saw this little piece of JavaScript in order to protect the exposure of the email address:

<script type="text/javascript">
//<![CDATA[
  document.write('<a href="mailto:XXXX@qik.com"\
    title="Send us an email!">XXXX@qik.com<\/a>');
//]]>
</script>

As the readers of this blog may know, the bot process is really easy.... download the HTML page (crawling) and then trying to extract the email address (parsing). This is just obvious that a bot wouldn't bother with the CDATA tag or because this is embedded in a JavaScript code, if I would have to do a bot, nonetheless I would have a very lossy parsing in order to gather as much information as possible, but I wouldn't care about "in which context am I?". Also, according to some testing I'm doing, I can tell you have if this was a URL, the Google bots would get them...

So please, obfuscate just a bit this... some example can be found on fuckthespam.com

Friday, January 25 2008

I used to work a bit on spam bot protection, whether it is for protecting the email disclosure or the spam in the website itself. I then, started a stupid website called http://fuckthespam.com where I will gather some spam (the funny one) but also listing some anti-spam techniques :)

Hopefully I will be able to also make an history of spam to see how techniques and also content evolved.

Wednesday, April 11 2007

Today, it reminds me a study from Cmabrigde (http://www.mrc-cbu.cam.ac.uk/~mattd/Cmabrigde/). The idea is that a human needs only few letters in order in a word to understand that word (this is not okay for every word, but it should not be hard to find them).
So the idea is basically to create a captcha as an image with a word, but the word would be disordered in a way that human can read it such as:

CNOTNENT
MANAEGR
KITHCEN
etc.

Okay, based on a current OCR based attack bot, it's doable if you have a dictionary then use something like the levenstein distance and try to minimize the distance with the current word in the dictionary and the word you found with your OCR.
But well, the captcha has not necessary one word...
The only problem I can see with this method is that the dictionary you use to generate the captcha should be in the language of the targeted human. But well, for most of the websites, you know what readers/users you have...

If I have time I'd try to create a lib for this...

By Romain on Wednesday, April 11 2007, 09:00 UTC - Stuffs

FROM THE DESK OF DR AZIZAN COKER BILL AND EXCHANGE MANAGER, BANK OF AFRICA, OUAGADOUGOU BUKINA-FASO.

PLANE CRASH WEB SITE...http://news.bbc.co.uk/1/hi/world/europe/859479.stm

("REMITTANCE OF $25.8 MILLION U.S.A DOLLARS (CONFIDENTIAL IS THE CASE")

Compliment Of The Day,

I am Dr Azizan Coker from burkina faso.I want to seek your assistance after my discovery during auditing in my bank as am the manager of Bill and Exchange at the Foriegn Remittance Department of BANK OF AFRICA,(B.O.A.) In my department we discovered an abandoned sum of USD$25.8million US dollars in an account that belongs to one of our foreign customers who died along with his entire family in plane Crashes 2000,

Since his death, we have been expecting his next of Kin to come over and claim his money because we can not release it unless somebody applies for it as next of Kin or relation to the deceased as indicated in our banking and financial policies but unfortunately all the efforts proved abortive.

IT is therefore upon this discovery that I decided as the head of my department to make this business proposal to you and release the money to you as the next of kin or relation to the deceased for safety and subsequent disbursement since nobody is coming for it and we don't want this money to go into the Bank treasury as unclaimed bills. Do not view this as been illegal but an opportunity for us to help enrich our hope in life instead of the bank converting this much money to the security funds.You should not nurse any atom of fear as all required arrangements have been made for the smooth transfer of this funds and your acceptance is what will crown this effort.

We will conclude this operation within 14 banking days based on the amount of coperation you will contribute.

Thank you for your understanding as i await your urgent response to enable me give you more details don't forget to give me those informations below to enable me know you very well before we can go ahead in this business,

Your International passport or ID card............ Your private telephone number........................ Your profession................................................ Your age........................................................... Your country....................................................

Your’s faithfully Dr Azizan Coker

POST SCRITUM:You have to keep everything secret as to enable the transfer to move very smoothly in to the account you will prove to the bank.

Tuesday, March 27 2007

Sven Vetsch/Disenchant has just send me an email with the Vigenere's version of the obfuscation script. This version is quite cute, but it's true that the public key is not secure enough... let's work on another version with public and private key!.

You can find Disenchant's script here.

By Romain on Tuesday, March 27 2007, 11:18 UTC - Tech

Always on the same subject: Spam bots, i was thinking that obfuscation would be a good way to prevent spam bots. Then I first start playing with reverse strings even if it may be obvious for the bots but well, I'm pretty sure it's even more difficult than the previous technique which can almost be passed with an intelligent-but-with-no-javascript-support parser.

So this version is quite simple:

<script>
String.prototype.reverse = function() { return this.split('').reverse().join(''); };
function reverseNames() {
	formElement = document.forms[0].elements;
	for(var i = 0; i < formElement.length; i++)	{
		formElement[i].name = formElement[i].name.reverse();
	}
	formElement.submit();
}
</script>
...
<form method="post" action="check.php" onsubmit="reverseNames()">
	<label for="emanresu">&#8238;emanresu&#8237;</label> <input type="text" name="emanresu" />   <br />

You can find the running example: here.
While talking about obfuscation/crypto, since there are few parameters to obfuscate/encrypt maybe a Vigenere algorithm would be nice...

Note that we do not use the 'username' instance in the HTML page, if you want to print 'username' you can use the character ‮ which reverses the following text.

Friday, March 23 2007

I used to talk about technique to prevent spam bots for registering or posting somewhere. Even though I think that a good solution for this is to create SessionID with JavaScript, I was a little bit stuck with phpBB2 because of the template engine, I cannot easily dynamically write a JavaScript in the page.

So, the solution I used is to simply create a CAPTCHA which is written in the page with JavaScript such as:

document.write("<input type='hidden' name='persoCaptcha' value='" + generateStaticKeyWord() + "' />");

And then, I had to check for this value in the PHP script.

Fairly simple, but it seems to work without lots of modification of the phpBB2 forum... Here is a list of spam bots that I detected with this technique on a forum. Even if this technique works for now, I will have to use a better one...

Wednesday, January 31 2007

There is many ways to prevent spam from the bayesian tests (statistical tests) to the basic captcha ... But we all know that pictures captcha can be bypassed by OCR even if it can be quite tough, there is some sofwtare and articles (example here).
Well, let's talk about 2 other ways:

1. JavaScript version

Assuming that robots do not interpret JavaScript (which is probably true for most of the bots) it would be nice to have a hidden field filled by JavaScript. It's quite simple to make such a script:

var W3CDOM = (document.createElement);
var inputInserted = false;
function addInput() {
	if (!W3CDOM || inputInserted)
		return;
	// create the input form
	var hiddenInput = document.createElement('input');
	hiddenInput.type = "hidden";
	hiddenInput.name = "testBrowser";
	hiddenInput.value = "success";
	//now add the input to the DOM.
	document.forms[0].appendChild(hiddenInput);
	inputInserted = true;
}

Then, you test that the GET/POST('testBrowser') == 'success'; The input looks like that:

<input type="text" name="OneOfMyFields" onclick="addInput()" />

2. Script generated form

The idea is to create a form with one input which has different instances, let's say:

<input class='c1' type="text" name="login_1" value="" />
<input class='c2' type="text" name="login_2" value="" />
<input class='c3' type="text" name="login_3" value="" />

With your script, you choose a 'random' number from 1 to 3, create the good CSS style (hide the not chosen value). The script store in the a cookie /SESSION/JavaScript the value of the random number then check after with this value.
If another input than the good one is filled than this should be a automated thing...

These techniques are absolutely not perfect at all, for the first, the assumption is quite odd I mean than it's not too hard to build a bot which can handle javascript/css/dom etc. and for the second, the 3 inputs are not enough, you need at least 30 for a representative trust.

Last comments

Last entries

Blog:tech

Tags

Categories

Links

Web Security

General Sec.

Other

Keyword - Spam

And so you wanted to protect your email address on your website...

Protection against spam bot | fuckthespam.com

Pretty good CAPTCHA: Against the current OCR

Once in a while: spam not filtered by gmail

Obfuscation and Spam Bots: Update

Obfuscation and Spam Bots

Prevent spam bots on a phpBB2

How to prevent spammers bot?

1. JavaScript version

2. Script generated form