back to article spɹɐʍʞɔɐB writing is spammers' new mail filter avoidance trick

Spammers are writing emails backwards in an attempt to sneak past spam filters, security researcher Brian Bebeau has found. The pests were using left-to-right override code intended to facilitate the use of bi-direction text, such as a document that included English and Hebrew. The Trustwave researcher said the tactic had a …

Page:

  1. Anonymous Coward
    Anonymous Coward

    There is no progress here

    On the contrary: Feels like we're going backwards.

    1. Skymonrie

      Re: There is no progress here

      I concur, the very first thing on my mind was to check the story publish date thinking there was an error which threw up an old story...

  2. FrankAlphaXII
    Unhappy

    For the love of God, don't give the shitheads that do this any ideas. I say this because your headline text is not only backwards, it is also upside down. That or I'm finally losing my mind.

    Anyway, my point is if server side anti-phishing filters can't reliably figure out backwards writing, they'll never cope with backward AND upside down text.

    1. James 51

      The B in backwards was the normal orientation. For the few people who can mirror read and write that looks quite interesting.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        I read it as "Backwarps". Probably a special maneouver of the NCC-1701?

        1. Crisp
          Boffin

          Backwarps

          One of the few defences against the Picard Maneuver...

      2. Trigonoceps occipitalis

        Also the lower case b in the 6th paragraph. Why?

        1. Eddy Ito

          Not just the b, all the letters are normal (left to right) it's just the spelling that is reversed. In any event any spam that comes through with any quantity of abnormal text of whatever type is getting binned. How hard can it be to throw a spell checker into the filter bin? There must be something that catches misspellings like v1agra, etc. as I haven't seen one of those in quite a while. I don't remember what client I was using way back in the day but one of the filters was font color1 so a reasonable dictionary filter should catch a good deal of this and most 419 scams as well.

          1. Which worked nearly perfectly until certain family members who shall go unnamed decided that all the new html/rich text effects were too cool to not use and I had to do tricks to filter based on the amount of colorful text. Eventually known family email address had to be whitelisted but they got an autoreply of alternating #ffe080 and #c0e080 text on a #8fff00 background. Most stopped shortly after that but one thought it was fun. </facepalm>

      3. Fibbles

        For the few people who can mirror read and write

        Wait, wait, wait... You mean most people can't?

        Time to update my C.V.

        1. VinceH

          No, no, no.

          What you don't do on your CV is draw attention to the fact that you'll be able to read potentially confidential material that the boss may sometimes have on his desk.

          Well, not unless you're using psychic paper for the CV and can update it on the fly...

          "One of my abilities is to read mirrored, upside down or rotated text. Which is how I know that text message you've just glanced at before leaving your phone on your desk is from your mistress, making interesting suggestions about your rendezvous tonight - but rest assured that your wife will never find out if you give me the job..."

    2. VinceH

      " I say this because your headline text is not only backwards, it is also upside down."

      It was indeed a combination of the two. Which could also be simply referred to as "rotated".

      Except the B, as James 51 pointed out. I can usually read mirrored/rotated text without problem (provided my slowly deteriorating eyesight can make it out on someone's desk to start with, which it used to be able to, but not so well these days) - but, while I could read the word "Backwards" with no real difficulty, that B threw me. It didn't look right at all, and I just couldn't see why, until I read James' comment.

      1. Destroy All Monsters Silver badge
        Holmes

        It was indeed a combination of the two. Which could also be simply referred to as "rotated".

        More on this in Rotations, Quaternions, and Double Groups by Simon L. Altmann (1986)

        1. regman1

          Wonderful

          <i>More on this in Rotations, Quaternions, and Double Groups by Simon L. Altmann (1986</i>

          Posts like this make el Reg very worthwhile.

          (Apart from its inability to parse HTML :-( )

          1. Brewster's Angle Grinder Silver badge

            Re: Wonderful

            @regman1

            Have we dropped the requirement that commentards pass a test on elementary LIE algebra?

  3. Alister

    Phishers had also applied the tactic to sections of filenames in order to obfuscate the extension and slip malware past scanners. This meant 'PAYLOADexe.doc' would become PAYLOADcod.exe.

    I call bullshit on that one, most mail servers I have used block .exe attachments as a matter of course, so a spammer is hardly likely to rename a .doc to a .exe.

    1. Fuzz

      This is the other way round

      This is the other way round, the exe is made to look like a doc by reversing the last 7 characters of name. However any mail scanner worth anything is going to actually scan the file to find out what the content is rather than relying on the extension.

      1. Gordon 11

        Re: This is the other way round

        However any mail scanner worth anything is going to actually scan the file to find out what the content is rather than relying on the extension.

        Probably, but I remember an attempt to send a file called "example.com", which contained a textual dump of a DNS zone and was sent with a MIME type in the header of application/text, being bounced by Outlook as it was an executable (because of the .com extension).

    2. Hans 1
      Windows

      Virus scanners detect the first bytes of a file and, when this contains MZ (amongst others, MZ means executable), will block the attachment ... regardless of the extension.

      What is this reporting ?

      The virus scanners learned it the hard way when viri-writers were sending scr files around the intertubes back in the late 90's.

      Yes, on Windows screensavers are executables, I know it is completely ff'd up, but no, we cannot say anything coz this forum is full of window cleaners. Rename the extension of any 32-bit/64-bit executable on windows to .com, .scr, or .exe and it will still run ...

      1. Destroy All Monsters Silver badge

        > we cannot say anything coz this forum is full of window cleaners

        This is not like you are an university prof in Israel talking about Gaza. Speak your mind.

      2. Alan Brown Silver badge

        "Virus scanners detect the first bytes of a file and, when this contains MZ (amongst others, MZ means executable), will block the attachment ... regardless of the extension."

        Which is why many malware payloads are .zips - and because zips are now widely scanned they've recently resorted to ARJ archives (presumably they'll move to other ancient compression formats later)

        1. Charles 9

          I thought they already moved on to encrypted ZIP archives which can't be extracted by automation since the password to decrypt them is hidden carefully in the text of the message such that computers aren't likely to make it out correctly. Furthermore, encrypted ZIPs can't be blocked out of hand since they may actually be legitimate correspondence from a coworker (which makes a spear-fishing encrypted ZIP even more plausible).

          1. Fibbles

            I thought they already moved on to encrypted ZIP archives which can't be extracted by automation since the password to decrypt them is hidden carefully in the text of the message

            Surely there comes a point at which the usual tech-illiterate victims of email malware become unable to actually open the payload?

      3. Anonymous Coward
        Anonymous Coward

        Viri writers -<i> because viruses writers doesn't sound right.</i>

  4. Anonymous Coward
    Anonymous Coward

    So...

    .... rather than meaningless drivel written in English we're going to get even more meaningless drivel written in backwards English.

    Who in their right mind is going to click on a link in something that they can't read?

    1. Screaming Temporal Doom

      Re: So...

      You've obviously never worked in local government ......

    2. Jedit Silver badge
      Facepalm

      "Who in their right mind is going to click on a link in something that they can't read?"

      The point is that you can read it. The text is only in reverse in the code; the right-to-left display algorithm returns it to the correct orientation when it displays on your screen.

    3. RyokuMas
      Stop

      Re: So...

      People fall for 419 scams.

      People believe that the person who has just rung them up about their machine being full of viruses is in fact a bona fida Microsoft employee.

      People believe that that link which will get them a free copy of a game that normally sells for a couple of dollars will actually get them the game and the game only.

      Never underestimate the human capacity to do something completely... stupid.

      1. Yugguy

        Re: So...

        Aye, add to that the people who fall for the car ads that are advertising a nearly new car for 1/2 the normal price with the tagline of "Don't call the dealer call me direct on xxxxxxxx"

        You can never plumb the depths of human greed and stupidity.

    4. Crazy Operations Guy

      Re: So...

      "Who in their right mind is going to click on a link in something that they can't read?"

      Quite a few people if you preface the link with "Free Phone/tits/games/celebrity tits/money/sluts."

      Now if someone were to come up with a game where you win money, women, new phones, or pictures of nude celebrities by navigating a pixellated bird between obstacles, we're all screwed...

    5. Fibbles

      Re: So...

      Who in their right mind is going to click on a link in something that they can't read?

      Never underestimate ignorance and naivety. I remember being 14 and receiving an email from a Nigerian prince. How my dad laughed when I tried to tell him how rich we were going to be...

  5. Anonymous Coward
    Anonymous Coward

    And of course...

    No one will be suspicious of a message from their "bank" with the text written backwards...

    1. imanidiot Silver badge

      Re: And of course...

      Problem is, people stupid enough to fall for phishing mails are not likely to be deterred by an additional oddity here and there. They'll just assume "someone made a typo" and laugh at the stupid bank while providing their email, username, password, PIN, height, weight, eyecolor, ring size, what they ate that morning and when they last took a crap.

      My point being: Stupid people will be stupid.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: And of course...

        Spammers are simply applying the Wizard's First Rule (as stated by Terry Goodkind):

        "People will believe anything, either because they want to believe it's true, or because they are afraid that it is true"

        Politicians use this all of the time!

      3. Anonymous Coward
        Anonymous Coward

        Re: And of course...

        The ultimate level of stupidity is to underestimate how stupid people can be.

    2. Blane Bramble

      Re: And of course...

      The point is the text in the email is written backwards (so scanners don't see normal keywords), but the text is wrapped in a block that tails the browser/email client that the text should be rendered right-to-left, so when it is displayed it looks normal to you, so something like (tags made up, not part of any standard I am aware of):

      In the message

      <encoding:ltr>!yenom dneS</encoding>

      But on your screen:

      Send money!

      1. MisterD

        Re: And of course...

        Spammers might as well just label their spam as spam. Bayesian classifiers will very quickly learn that a hapax like :ltr> has a 100% correlation with spam.

        1. ratfox
          Go

          Re: And of course...

          I suspect it might work here:

          Let's say I write a message ‮reporp eht sniatnoc ti fo emos dna‬ unicode control codes.

          There. Now copy/paste the sentence in bold in a terminal or a dumb text editor, and you will have a surprise.

          EDIT: Emacs displays the same text, but vi displays something else.

    3. Tascam Holiday
      Facepalm

      Re: And of course...

      The point is that the text is backwards within the source to evade spam detectors, but uses the Unicode RTL code &#202e; to force the mail program to reverse the text so that it displays in the correct order.

      1. Kubla Cant

        Re: And of course...

        I'm still puzzled about the allegedly disguised filename. The story is that the text is reversed so the scanner won't pick it up, but the display presents it in such a way that it reads normally. When you click on a link or a filename it doesn't matter what it looks like, the thing that is executed is whatever is in the text, and that's what the scanner will see too.

        I think the attachment/link example is made up.

        1. Charles 9

          Re: And of course...

          "I'm still puzzled about the allegedly disguised filename. The story is that the text is reversed so the scanner won't pick it up, but the display presents it in such a way that it reads normally. When you click on a link or a filename it doesn't matter what it looks like, the thing that is executed is whatever is in the text, and that's what the scanner will see too."

          The example in the article is erroneous, but the idea is that the filename is written backwards, too. Think "txt.setoN gniteeM evituc.exE". This is actually a program (which could contain a zero-day privilege escalation rootkit or such), but if it's displayed in a RTL mode, the displayed name gets reversed and now appears to be "Exe.cutive Meeting Notes.txt", making it look like an innocuous text file. See where this is going? Combine this with spear phishing, and the whole thing could be believable enough to click to open.

      2. Charles 9

        Re: And of course...

        But wouldn't that still raise a red flag since that ALSO means the text becomes right-aligned? The standard approach is to align e-mail and common text to the same side as the start of the text, is it not? Thus English starts on the left while Hebrew, Arabic, etc. start on the right.

    4. Destroy All Monsters Silver badge

      Re: And of course...

      No one will be suspicious of a message from their "bank" with the text written backwards...

      It's like ECB negative interest rates. Nothing surprises anymore.

      1. Ted Treen
        Holmes

        Re: And of course...

        I'm suspicious of any message from my bank, and don't follow any link or download any attachment(s).

        Of course I'm even more suspicious of similar messages from banks where I don't have an account...

  6. Zog_but_not_the_first
    IT Angle

    Ultimate clicktrap?

    I clicked on the article to find out what was going on and suddenly...

  7. b166er

    That's how I've been obfuscating email addresses when people insist on having theirs on a website.

    unicode-bidi:bidi-override

    direction:rtl

    That with a bit of javascript to reverse it onclick

  8. Gordon 11
    Headmaster

    "spɹɐʍʞɔɐB" isn't backwards. It's rotated through 180°.

    Which is why you can read it standing on your head.

    1. Destroy All Monsters Silver badge

      But what if you now mirror it?

  9. amanfromearth

    That's not backwards..

    It's umop apisdn

    1. Rick Giles
      Trollface

      Re: That's not backwards..

      That's no moon...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like