is this a buffer overflow email html attack??

  • Thread starter Thread starter Englander
  • Start date Start date
frans said:
<a hrefbarbecuedhref=http://brooder.com

Just a trick, I think, to evade anti-spam tools. It appears that at
least IE 6 and Mozilla will happily ignore the junk-characters and parse
this as a valid anchor href.

They never learn.
Click to expand...

I believe that that *is* the point. They obfuscate to avoid the filters,
yet retain functionality. If the browsers HTML parsers fell down on
those junk-characters, the spammers wouldn't be able to use that
form of obfucation because of the loss of functionality that it incurs.
 
I believe that that *is* the point. They obfuscate to avoid the filters,
yet retain functionality. If the browsers HTML parsers fell down on
those junk-characters, the spammers wouldn't be able to use that form of
obfucation because of the loss of functionality that it incurs.
Click to expand...

that must depend on the failure mode of the software, does it terminally
crash noticeably to the user or what I thought it might do is fail
gracefully but for example go to the reference and execute whatever the
default page is there... or similar potential backdoor.

having read about "web bugs" in another article here I see the use of just
getting the html loaded in some duff (by this I mean it is almost as
though it is purposefully written to give hackers/spammers a nice entry
point by not allowing simple options like view source of email as an
optional default view) browser like outlook express simply to validate
email addresses for future sale to other spammers and own use.

thanks for the comments.
 
Someone posted this a few days ago.

http://www.jgc.org/tsc/

It tells about some of the tricks spammers use to obfuscate yet retain
functionality of clickable links
that must depend on the failure mode of the software, does it terminally
crash noticeably to the user or what I thought it might do is fail
gracefully but for example go to the reference and execute whatever the
default page is there... or similar potential backdoor.
Click to expand...

Nah ~ I think this is just smoke and mirrors. You are however correct
in assuming that spammers will use (and have likely in the past used)
actual exploits such as buffer overruns to attain their goals. Look at
the recent trend in spam ~ they're not even really serious about leads
to customers -- it's just vandalism now.
having read about "web bugs" in another article here I see the use of just
getting the html loaded in some duff (by this I mean it is almost as
though it is purposefully written to give hackers/spammers a nice entry
point by not allowing simple options like view source of email as an
optional default view) browser like outlook express simply to validate
email addresses for future sale to other spammers and own use.
Click to expand...

A bounce by any program other than the Mailer-Daemon probably
gives validity to the addresses too because it is not usually done in a
timely manner - but they don't use valid return addresses anymore
either so the "bounce" becomes just another address bothered.
 
Back
Top