Spammers Using Soft Hyphen To Hide Malicious URLs 162
Trailrunner7 writes with this excerpt from ThreatPost illustrating the ongoing Spy-vs.-Spy battle between spammers and the rest of us:
"Spammers have jumped on the little-used soft hyphen (or SHY character) to fool URL filtering devices. According to researchers, spammers are larding up URLs for sites they promote with the soft hyphen character, which many browsers ignore. Spammers aren't shy about jumping humans flexible cognitive abilities to slip past the notice of spam filters (H3rb41 V14gr4, anyone?). ... The latest trend involves the use of an obscure character called the soft hyphen or 'SHY' character to obscure malicious URLs in spam messages. Writing on the Symantec Connect blog, researcher Samir Patil said that the company has seen recent spam messages that insert the HTML symbol for the soft hyphen to obfuscate URLs for Web pages promoted by the spammers."
So how often is it used legitimately? (Score:5, Interesting)
Is there any good reason not to just call the presence of soft hyphens as a reliable indicator of spam and use it as the basis of a spam filter?
Obligatory Kajagoogoo (Score:0, Interesting)
Tongue-tied, (I'm) short of breath, don't even try
Try a little harder
Something's wrong, you're not naive, you must be strong
Ooh, baby, try
Hey girl, move a little closer.
You're
CHORUS:
Too shy shy
Hush hush, eye to eye
Too shy shy
Hush hush, eye to eye
Too shy shy
Hush hush, eye to eye
Too shy shy
Good News! (Score:3, Interesting)
So now spam filters will pick up on soft hyphens used in URIs inside emails (when was the last time you saw one used legitimately?), making the spam easier to spot.
Re:H3rb41 V14gr4? (Score:3, Interesting)
I never understood how it actually worked, except as you suggested, the script kiddy crowd are heavily in to giving money to strangers in exchange for uber zomg epic sexual prowess.
Maybe I'm old fashioned, but I'm kind of reluctant to whip out my credit card to buy something from a company that employs mittens-wearing illiterates to write their adverts. Sure I'll eat at a Chinese restaurant with an amusingly translated menu, but that's a little different.
Re:So how often is it used legitimately? (Score:3, Interesting)
I would think most spam filters would do that automatically as they learn.
Symantec seems to think people still use character-for-character text matching spam filters that don't learn. Maybe Symantec products do.
Re:So how often is it used legitimately? (Score:2, Interesting)
Re:So how often is it used legitimately? (Score:3, Interesting)
Implementations of the DNS protocols must not place any restrictions on the labels that can be used. In particular, DNS servers must not refuse to serve a zone because it contains labels that might not be acceptable to some DNS client programs.