Virus Guy

kurt wismer wrote:

> > How many mass-market PC's (Dell, Gateway, etc) come with
> > Acrobat installed? (just wondering)
>
> how can i explain to you what a stupid question that is?

You are stupid for mis-interpreting it.

> acrobat is a program that *A LOT* of people install after
> getting their computers

No shit sherlock. That's not the answer to my question.

> no, you have to click on it - which people who deal with pdf's
> have been trained to do... i'm sorry if pdf's are foreign to
> you, but that's how people interact with pdf's in the real world

Don't be a smart-ass. The point I'm making is that if you're a
spammer, you want your recipients to see your shit. People are MORE
prone to NOT click on something in e-mail, moreso than they are PRONE
to act like a trained dog and click on an attachment just because it's
a PDF.

> > All the zombies that just spewed that useless e-mail
> > have now been blacklisted on various RBL's.
>
> ???? more misunderstanding... if you blacklisted every domain

RBL's don't black-list domains

> (or even just ip's) with zombies on them you'd wind up
> blacklisting every isp in existence... rbl's don't do
> that because they know it's pointless...

DNSRBL's do exactly that. They blacklist IP addresses. Individual IP
addresses.

> isp's try to stomp out the zombies on their networks

These days, few if any ISP's do that.

> >> and yet ocr spam filters have been effective against
> >> many of those image spam techniques...
> >
> > Can you point to any web-resource that corroborates that
> > statement?
>
>http://www.virusbtn.com/spambulletin...sb200611-image

Interesting page, but I see no examples of slightly-rotated text that
is common in most image spams these days. I'm looking at a recent
spam where the background is multi-hued blue and the text is in red
letters (Discount Pharmacy online) the drug names are in white
(Viagra, Cialis, Ambien, etc) and the prices are in orange-yellow
($2.00 mostly).

As these images comes closer to replicating captcha, the OCR software
will have no chance.

kurt wismer

Virus Guy wrote:
> kurt wismer wrote:
>
>>> How many mass-market PC's (Dell, Gateway, etc) come with
>>> Acrobat installed? (just wondering)
>> how can i explain to you what a stupid question that is?
>
> You are stupid for mis-interpreting it.
>
>> acrobat is a program that *A LOT* of people install after
>> getting their computers
>
> No shit sherlock. That's not the answer to my question.

because the question illustrates what emerson was talking about in his
famous quote about a foolish consistency... while it is generally true
that a dependency on software that didn't come pre-installed hurts one's
success rates, it's not always true...

moreover it's not the only part of the equation the spammers are looking
at... as good or bad as client-side anti-spam may be, gateway filters
take huge chunks out of the pool of potential recipients so the balance
between ease of use by the recipient and obfuscation from the filters is
shifting to favour obfuscation...

>> no, you have to click on it - which people who deal with pdf's
>> have been trained to do... i'm sorry if pdf's are foreign to
>> you, but that's how people interact with pdf's in the real world
>
> Don't be a smart-ass. The point I'm making is that if you're a
> spammer, you want your recipients to see your shit.

and the point i'm making is that acrobat is virtually standard *in
spite* of not necessarily coming pre-installed...

> People are MORE
> prone to NOT click on something in e-mail, moreso than they are PRONE
> to act like a trained dog and click on an attachment just because it's
> a PDF.

spammers have always had a poor penetration rate with their
advertisements... if the new obfuscation reduces it they'll just do what
they've always done - make it up on volume...

>>> All the zombies that just spewed that useless e-mail
>>> have now been blacklisted on various RBL's.
>> ???? more misunderstanding... if you blacklisted every domain
>
> RBL's don't black-list domains
>
>> (or even just ip's) with zombies on them you'd wind up
>> blacklisting every isp in existence... rbl's don't do
>> that because they know it's pointless...
>
> DNSRBL's do exactly that. They blacklist IP addresses. Individual IP
> addresses.

yeah, that's real useful in the dynamic ip world of home users where
most zombies are found...

>> isp's try to stomp out the zombies on their networks
>
> These days, few if any ISP's do that.

in my part of the world they do...

>>>> and yet ocr spam filters have been effective against
>>>> many of those image spam techniques...
>>> Can you point to any web-resource that corroborates that
>>> statement?
>> http://www.virusbtn.com/spambulletin...sb200611-image
>
> Interesting page, but I see no examples of slightly-rotated text that
> is common in most image spams these days. I'm looking at a recent
> spam where the background is multi-hued blue and the text is in red
> letters (Discount Pharmacy online) the drug names are in white
> (Viagra, Cialis, Ambien, etc) and the prices are in orange-yellow
> ($2.00 mostly).
>
> As these images comes closer to replicating captcha, the OCR software
> will have no chance.

well, i'm no ocr spam filter developer... i just see a bunch of
techniques that one might naively assume would foil ocr but which ocr
has none-the-less overcome so when you say that rotation is one that ocr
*can't* overcome i'll have to take a page out of your book and ask if
you've got a web-resource that corroborates that statement...

(and frankly, when i was working in face recognition, slight rotation
was not a problem so i don't see why it should be a problem for
character recognition)

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Virus Guy

kurt wismer wrote:

> >>> How many mass-market PC's (Dell, Gateway, etc) come with
> >>> Acrobat installed? (just wondering)

> >> acrobat is a program that *A LOT* of people install after
> >> getting their computers

> > No shit sherlock. That's not the answer to my question.

> because the question illustrates what emerson ....

The question stands on it's own and is separate from the implications
of it's answer.

> foolish consistency...

Which you exhibit constantly.

> and the point i'm making is that acrobat is virtually standard
> *in spite* of not necessarily coming pre-installed...

PDF's are still an ergonomically poor way to convey spam payload given
the lack of automatic rendering. They may be in use now because the
PDF format is somewhat proprietary. Commercial server and client-side
filter software may not have permission or the license from Adobe to
impliment PDF decoding routines that are necessary for content
inspection (but you would think it would be in Adobe's best interest
to provide it to them gratis).

> spammers have always had a poor penetration rate with their
> advertisements... if the new obfuscation reduces it they'll
> just do what they've always done - make it up on volume...

Volume is not necessarily something they can increase when-ever they
want. Presumably they are always operating at 100% of their volume
capability anyways.

> > DNSRBL's do exactly that. They blacklist IP addresses.
> > Individual IP addresses.
>
> yeah, that's real useful in the dynamic ip world of home
> users where most zombies are found...

If you want to run an RBL that people will use and trust not to give
them false positives, you have no choice but to track spam sources at
the individual IP level. I believe that there are RBL's that will
return the status of an IP (whether it lies in a static or dynamic
range assignment, or whether it belongs to a residential ISP) which a
mail server can use as the basis to block mail from said IP.

> >> isp's try to stomp out the zombies on their networks
> >
> > These days, few if any ISP's do that.
>
> in my part of the world they do...

Then why don't they block port-25 on their outbound? Why are the big
US cable and telco providers of residential internet service still the
biggest sources of trojanized spam bots? If they don't block port-25,
why can't they at least detect spam runs as they happen, and put rate
limits on them? Why can't they detect a spam run in progress by
looking for inordinate amounts of MX lookups being made by an infected
customer?

What exactly does a given ISP do when they learn about spam being
emitted by one of their several-million customers? Do they call the
customer? Send them an e-mail? Perform an on-site service call?
Please explain what happens in your part of the world.

Fenton

On Aug 17, 2007, Virus Guy wrote:
> PDF's are still an ergonomically poor way to convey spam payload given
> the lack of automatic rendering. They may be in use now because the
> PDF format is somewhat proprietary. Commercial server and client-side
> filter software may not have permission or the license from Adobe to
> impliment PDF decoding routines that are necessary for content
> inspection (but you would think it would be in Adobe's best interest
> to provide it to them gratis).

I'm pretty certain the PDF specification is open to the public.

kurt wismer

ok, maybe i can explain this in a simpler way...

first:
a spammer has 2 choices, he can make his spam more readable so that the
people who do manage to receive it don't have to put as much work into
reading it, or he can make his spam more obfuscated so that it gets past
filters and reaches more inboxes...

while better readability is no guarantee of greater sales, less reach
*is* a guarantee of fewer sales...

second:
while pdf viewers may not be technically a standard part of the os they
are *effectively* a standard part of the os... just as flash-based ads
on the web are effective despite flash not coming pre-installed,
pdf-based spam can be effective without acrobat coming pre-installed...
when it comes to formats this popular the question of whether the reader
comes pre-installed simply does not matter...

Virus Guy wrote:
> kurt wismer wrote:
[snip]
>> and the point i'm making is that acrobat is virtually standard
>> *in spite* of not necessarily coming pre-installed...
>
> PDF's are still an ergonomically poor way to convey spam payload given
> the lack of automatic rendering. They may be in use now because the
> PDF format is somewhat proprietary. Commercial server and client-side
> filter software may not have permission or the license from Adobe to
> impliment PDF decoding routines that are necessary for content
> inspection (but you would think it would be in Adobe's best interest
> to provide it to them gratis).

no, the pdf format is more open than that... pdf is used as a spam
obfuscation technique simply because it's novel enough that existing
filters didn't have any handling for it yet...

>> spammers have always had a poor penetration rate with their
>> advertisements... if the new obfuscation reduces it they'll
>> just do what they've always done - make it up on volume...
>
> Volume is not necessarily something they can increase when-ever they
> want. Presumably they are always operating at 100% of their volume
> capability anyways.

ummm, no... increasing volume can be as easy as building a bigger botnet...

[snip]
>>>> isp's try to stomp out the zombies on their networks
>>> These days, few if any ISP's do that.
>> in my part of the world they do...
>
> Then why don't they block port-25 on their outbound? Why are the big
> US cable and telco providers of residential internet service still the
> biggest sources of trojanized spam bots? If they don't block port-25,
> why can't they at least detect spam runs as they happen, and put rate
> limits on them? Why can't they detect a spam run in progress by
> looking for inordinate amounts of MX lookups being made by an infected
> customer?
>
> What exactly does a given ISP do when they learn about spam being
> emitted by one of their several-million customers? Do they call the
> customer? Send them an e-mail? Perform an on-site service call?
> Please explain what happens in your part of the world.

they cut off the customer's internet access... when the customer calls
to complain they inform the customer why their access was cut off and
tell them what they need to do to get it turned back on... the customer
may or may not be successful at removing the bot but with the internet
access cut off the zombie has been removed from the network...

someone i used to work with encountered this very situation with a large
isp known as rogers...

i understand that at least one 'solution' provider has developed
technology that would give isp's the power to let such affected
customers connect in a restricted fashion such that the only thing
they'd be able to do would be download tools the isp made available for
correcting the problem... unfortunately i can't think of the name right
now...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Virus Guy

Fenton wrote:

> I'm pretty certain the PDF specification is open to the public.

But do AV vendors have the ability to incorporate PDF decoding
routines into their software without paying Adobe for a license fee?

Virus Guy

Kurt wismer wrote:

> first:
> a spammer has 2 choices, he can make his spam more readable

but more filterable

> or he can make his spam more obfuscated

less likely to be auto-filtered, but also less likely to be opened

> while better readability is no guarantee of greater sales,
> less reach *is* a guarantee of fewer sales...

Reach is a function of the size of a spam run. That being equal, it
becomes a question as to what spam will suffer more from filtering vs
from failure to open the attachment.

> while pdf viewers may not be technically a standard part of
> the os they are *effectively* a standard part of the os...
> just as flash-based ads on the web are effective despite
> flash not coming pre-installed,

Poor example.

Flash content is (usually) auto-rendered on a web page. PDF content
is NOT auto-rendered as a component of a page being viewed.

> pdf-based spam can be effective without acrobat coming
> pre-installed...

And if it remains un-installed on a given system - what then?

> when it comes to formats this popular the question of whether
> the reader comes pre-installed simply does not matter...

You are not correctly appraising the importance or exposure of the PDF
format to the typical person who responds to spam.

I could say that people who knowingly install acrobat on their systems
probably belong to the demographic of people who are least likely to
act on or respond to spam.

Leythos

In article <46C8676A.F67502BF@Guy.com>, Virus@Guy.com says...
> Fenton wrote:
>
> > I'm pretty certain the PDF specification is open to the public.
>
> But do AV vendors have the ability to incorporate PDF decoding
> routines into their software without paying Adobe for a license fee?

Our email filtering system, GFI Mail Essentials and Security catches the
malware in them, and they don't appear to be licensed with Adobe.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

Virus Guy

Leythos wrote:

> Our email filtering system, GFI Mail Essentials and Security
> catches the malware in them, and they don't appear to be
> licensed with Adobe.

Perhaps the recent PDF malware can be detected without implimenting a
complete PDF decoding/rendering engine.

kurt wismer

Virus Guy wrote:
> Kurt wismer wrote:
>
>> first:
>> a spammer has 2 choices, he can make his spam more readable
>
> but more filterable
>
>> or he can make his spam more obfuscated
>
> less likely to be auto-filtered, but also less likely to be opened
>
>> while better readability is no guarantee of greater sales,
>> less reach *is* a guarantee of fewer sales...
>
> Reach is a function of the size of a spam run. That being equal, it
> becomes a question as to what spam will suffer more from filtering vs
> from failure to open the attachment.

and gateway filters can prevent the spam from reaching entire domains...

>> while pdf viewers may not be technically a standard part of
>> the os they are *effectively* a standard part of the os...
>> just as flash-based ads on the web are effective despite
>> flash not coming pre-installed,
>
> Poor example.
>
> Flash content is (usually) auto-rendered on a web page. PDF content
> is NOT auto-rendered as a component of a page being viewed.

??? ok, so pdf content is auto-rendered as the entire page instead of
just a portion, is that distinction really significant?

>> pdf-based spam can be effective without acrobat coming
>> pre-installed...
>
> And if it remains un-installed on a given system - what then?

in that unlikely event then it will not be effective...

>> when it comes to formats this popular the question of whether
>> the reader comes pre-installed simply does not matter...
>
> You are not correctly appraising the importance or exposure of the PDF
> format to the typical person who responds to spam.
>
> I could say that people who knowingly install acrobat on their systems
> probably belong to the demographic of people who are least likely to
> act on or respond to spam.

i'm going to go out on a limb here and guess that you believe that pdf's
are only used by a technically sophisticated minority rather than the
majority...

this in spite the fact that pdf long ago became the de facto standard
for printable documents from government forms to online product
documentation to press releases and reports and to bus schedules and
route maps (not to mention the fact that it's a major e-book format,
that sample chapters from conventional books are released in that
format, and that it comes pre-installed on machines from dell)...

if you *really* believe that only a technically sophisticated minority
are likely to be consumers of printable documents then i don't think
this need go any further...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"