back to article spɹɐʍʞɔɐB writing is spammers' new mail filter avoidance trick

Spammers are writing emails backwards in an attempt to sneak past spam filters, security researcher Brian Bebeau has found. The pests were using left-to-right override code intended to facilitate the use of bi-direction text, such as a document that included English and Hebrew. The Trustwave researcher said the tactic had a …

  1. Anonymous Coward
    Anonymous Coward

    There is no progress here

    On the contrary: Feels like we're going backwards.

    1. Skymonrie

      Re: There is no progress here

      I concur, the very first thing on my mind was to check the story publish date thinking there was an error which threw up an old story...

  2. FrankAlphaXII
    Unhappy

    For the love of God, don't give the shitheads that do this any ideas. I say this because your headline text is not only backwards, it is also upside down. That or I'm finally losing my mind.

    Anyway, my point is if server side anti-phishing filters can't reliably figure out backwards writing, they'll never cope with backward AND upside down text.

    1. James 51

      The B in backwards was the normal orientation. For the few people who can mirror read and write that looks quite interesting.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        I read it as "Backwarps". Probably a special maneouver of the NCC-1701?

        1. Crisp
          Boffin

          Backwarps

          One of the few defences against the Picard Maneuver...

      2. Trigonoceps occipitalis

        Also the lower case b in the 6th paragraph. Why?

        1. Eddy Ito

          Not just the b, all the letters are normal (left to right) it's just the spelling that is reversed. In any event any spam that comes through with any quantity of abnormal text of whatever type is getting binned. How hard can it be to throw a spell checker into the filter bin? There must be something that catches misspellings like v1agra, etc. as I haven't seen one of those in quite a while. I don't remember what client I was using way back in the day but one of the filters was font color1 so a reasonable dictionary filter should catch a good deal of this and most 419 scams as well.

          1. Which worked nearly perfectly until certain family members who shall go unnamed decided that all the new html/rich text effects were too cool to not use and I had to do tricks to filter based on the amount of colorful text. Eventually known family email address had to be whitelisted but they got an autoreply of alternating #ffe080 and #c0e080 text on a #8fff00 background. Most stopped shortly after that but one thought it was fun. </facepalm>

      3. Fibbles

        For the few people who can mirror read and write

        Wait, wait, wait... You mean most people can't?

        Time to update my C.V.

        1. VinceH

          No, no, no.

          What you don't do on your CV is draw attention to the fact that you'll be able to read potentially confidential material that the boss may sometimes have on his desk.

          Well, not unless you're using psychic paper for the CV and can update it on the fly...

          "One of my abilities is to read mirrored, upside down or rotated text. Which is how I know that text message you've just glanced at before leaving your phone on your desk is from your mistress, making interesting suggestions about your rendezvous tonight - but rest assured that your wife will never find out if you give me the job..."

    2. VinceH

      " I say this because your headline text is not only backwards, it is also upside down."

      It was indeed a combination of the two. Which could also be simply referred to as "rotated".

      Except the B, as James 51 pointed out. I can usually read mirrored/rotated text without problem (provided my slowly deteriorating eyesight can make it out on someone's desk to start with, which it used to be able to, but not so well these days) - but, while I could read the word "Backwards" with no real difficulty, that B threw me. It didn't look right at all, and I just couldn't see why, until I read James' comment.

      1. Destroy All Monsters Silver badge
        Holmes

        It was indeed a combination of the two. Which could also be simply referred to as "rotated".

        More on this in Rotations, Quaternions, and Double Groups by Simon L. Altmann (1986)

        1. regman1

          Wonderful

          <i>More on this in Rotations, Quaternions, and Double Groups by Simon L. Altmann (1986</i>

          Posts like this make el Reg very worthwhile.

          (Apart from its inability to parse HTML :-( )

          1. Brewster's Angle Grinder Silver badge

            Re: Wonderful

            @regman1

            Have we dropped the requirement that commentards pass a test on elementary LIE algebra?

  3. Alister

    Phishers had also applied the tactic to sections of filenames in order to obfuscate the extension and slip malware past scanners. This meant 'PAYLOADexe.doc' would become PAYLOADcod.exe.

    I call bullshit on that one, most mail servers I have used block .exe attachments as a matter of course, so a spammer is hardly likely to rename a .doc to a .exe.

    1. Fuzz

      This is the other way round

      This is the other way round, the exe is made to look like a doc by reversing the last 7 characters of name. However any mail scanner worth anything is going to actually scan the file to find out what the content is rather than relying on the extension.

      1. Gordon 11

        Re: This is the other way round

        However any mail scanner worth anything is going to actually scan the file to find out what the content is rather than relying on the extension.

        Probably, but I remember an attempt to send a file called "example.com", which contained a textual dump of a DNS zone and was sent with a MIME type in the header of application/text, being bounced by Outlook as it was an executable (because of the .com extension).

    2. Hans 1
      Windows

      Virus scanners detect the first bytes of a file and, when this contains MZ (amongst others, MZ means executable), will block the attachment ... regardless of the extension.

      What is this reporting ?

      The virus scanners learned it the hard way when viri-writers were sending scr files around the intertubes back in the late 90's.

      Yes, on Windows screensavers are executables, I know it is completely ff'd up, but no, we cannot say anything coz this forum is full of window cleaners. Rename the extension of any 32-bit/64-bit executable on windows to .com, .scr, or .exe and it will still run ...

      1. Destroy All Monsters Silver badge

        > we cannot say anything coz this forum is full of window cleaners

        This is not like you are an university prof in Israel talking about Gaza. Speak your mind.

      2. Alan Brown Silver badge

        "Virus scanners detect the first bytes of a file and, when this contains MZ (amongst others, MZ means executable), will block the attachment ... regardless of the extension."

        Which is why many malware payloads are .zips - and because zips are now widely scanned they've recently resorted to ARJ archives (presumably they'll move to other ancient compression formats later)

        1. Charles 9

          I thought they already moved on to encrypted ZIP archives which can't be extracted by automation since the password to decrypt them is hidden carefully in the text of the message such that computers aren't likely to make it out correctly. Furthermore, encrypted ZIPs can't be blocked out of hand since they may actually be legitimate correspondence from a coworker (which makes a spear-fishing encrypted ZIP even more plausible).

          1. Fibbles

            I thought they already moved on to encrypted ZIP archives which can't be extracted by automation since the password to decrypt them is hidden carefully in the text of the message

            Surely there comes a point at which the usual tech-illiterate victims of email malware become unable to actually open the payload?

      3. Anonymous Coward
        Anonymous Coward

        Viri writers -<i> because viruses writers doesn't sound right.</i>

  4. Anonymous Coward
    Anonymous Coward

    So...

    .... rather than meaningless drivel written in English we're going to get even more meaningless drivel written in backwards English.

    Who in their right mind is going to click on a link in something that they can't read?

    1. Screaming Temporal Doom

      Re: So...

      You've obviously never worked in local government ......

    2. Jedit Silver badge
      Facepalm

      "Who in their right mind is going to click on a link in something that they can't read?"

      The point is that you can read it. The text is only in reverse in the code; the right-to-left display algorithm returns it to the correct orientation when it displays on your screen.

    3. RyokuMas
      Stop

      Re: So...

      People fall for 419 scams.

      People believe that the person who has just rung them up about their machine being full of viruses is in fact a bona fida Microsoft employee.

      People believe that that link which will get them a free copy of a game that normally sells for a couple of dollars will actually get them the game and the game only.

      Never underestimate the human capacity to do something completely... stupid.

      1. Yugguy

        Re: So...

        Aye, add to that the people who fall for the car ads that are advertising a nearly new car for 1/2 the normal price with the tagline of "Don't call the dealer call me direct on xxxxxxxx"

        You can never plumb the depths of human greed and stupidity.

    4. Crazy Operations Guy

      Re: So...

      "Who in their right mind is going to click on a link in something that they can't read?"

      Quite a few people if you preface the link with "Free Phone/tits/games/celebrity tits/money/sluts."

      Now if someone were to come up with a game where you win money, women, new phones, or pictures of nude celebrities by navigating a pixellated bird between obstacles, we're all screwed...

    5. Fibbles

      Re: So...

      Who in their right mind is going to click on a link in something that they can't read?

      Never underestimate ignorance and naivety. I remember being 14 and receiving an email from a Nigerian prince. How my dad laughed when I tried to tell him how rich we were going to be...

  5. Anonymous Coward
    Anonymous Coward

    And of course...

    No one will be suspicious of a message from their "bank" with the text written backwards...

    1. imanidiot Silver badge

      Re: And of course...

      Problem is, people stupid enough to fall for phishing mails are not likely to be deterred by an additional oddity here and there. They'll just assume "someone made a typo" and laugh at the stupid bank while providing their email, username, password, PIN, height, weight, eyecolor, ring size, what they ate that morning and when they last took a crap.

      My point being: Stupid people will be stupid.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: And of course...

        Spammers are simply applying the Wizard's First Rule (as stated by Terry Goodkind):

        "People will believe anything, either because they want to believe it's true, or because they are afraid that it is true"

        Politicians use this all of the time!

      3. Anonymous Coward
        Anonymous Coward

        Re: And of course...

        The ultimate level of stupidity is to underestimate how stupid people can be.

    2. Blane Bramble

      Re: And of course...

      The point is the text in the email is written backwards (so scanners don't see normal keywords), but the text is wrapped in a block that tails the browser/email client that the text should be rendered right-to-left, so when it is displayed it looks normal to you, so something like (tags made up, not part of any standard I am aware of):

      In the message

      <encoding:ltr>!yenom dneS</encoding>

      But on your screen:

      Send money!

      1. MisterD

        Re: And of course...

        Spammers might as well just label their spam as spam. Bayesian classifiers will very quickly learn that a hapax like :ltr> has a 100% correlation with spam.

        1. ratfox
          Go

          Re: And of course...

          I suspect it might work here:

          Let's say I write a message ‮reporp eht sniatnoc ti fo emos dna‬ unicode control codes.

          There. Now copy/paste the sentence in bold in a terminal or a dumb text editor, and you will have a surprise.

          EDIT: Emacs displays the same text, but vi displays something else.

    3. Tascam Holiday
      Facepalm

      Re: And of course...

      The point is that the text is backwards within the source to evade spam detectors, but uses the Unicode RTL code &#202e; to force the mail program to reverse the text so that it displays in the correct order.

      1. Kubla Cant

        Re: And of course...

        I'm still puzzled about the allegedly disguised filename. The story is that the text is reversed so the scanner won't pick it up, but the display presents it in such a way that it reads normally. When you click on a link or a filename it doesn't matter what it looks like, the thing that is executed is whatever is in the text, and that's what the scanner will see too.

        I think the attachment/link example is made up.

        1. Charles 9

          Re: And of course...

          "I'm still puzzled about the allegedly disguised filename. The story is that the text is reversed so the scanner won't pick it up, but the display presents it in such a way that it reads normally. When you click on a link or a filename it doesn't matter what it looks like, the thing that is executed is whatever is in the text, and that's what the scanner will see too."

          The example in the article is erroneous, but the idea is that the filename is written backwards, too. Think "txt.setoN gniteeM evituc.exE". This is actually a program (which could contain a zero-day privilege escalation rootkit or such), but if it's displayed in a RTL mode, the displayed name gets reversed and now appears to be "Exe.cutive Meeting Notes.txt", making it look like an innocuous text file. See where this is going? Combine this with spear phishing, and the whole thing could be believable enough to click to open.

      2. Charles 9

        Re: And of course...

        But wouldn't that still raise a red flag since that ALSO means the text becomes right-aligned? The standard approach is to align e-mail and common text to the same side as the start of the text, is it not? Thus English starts on the left while Hebrew, Arabic, etc. start on the right.

    4. Destroy All Monsters Silver badge

      Re: And of course...

      No one will be suspicious of a message from their "bank" with the text written backwards...

      It's like ECB negative interest rates. Nothing surprises anymore.

      1. Ted Treen
        Holmes

        Re: And of course...

        I'm suspicious of any message from my bank, and don't follow any link or download any attachment(s).

        Of course I'm even more suspicious of similar messages from banks where I don't have an account...

  6. Zog_but_not_the_first
    IT Angle

    Ultimate clicktrap?

    I clicked on the article to find out what was going on and suddenly...

  7. b166er

    That's how I've been obfuscating email addresses when people insist on having theirs on a website.

    unicode-bidi:bidi-override

    direction:rtl

    That with a bit of javascript to reverse it onclick

  8. Gordon 11
    Headmaster

    "spɹɐʍʞɔɐB" isn't backwards. It's rotated through 180°.

    Which is why you can read it standing on your head.

    1. Destroy All Monsters Silver badge

      But what if you now mirror it?

  9. amanfromearth

    That's not backwards..

    It's umop apisdn

    1. Rick Giles
      Trollface

      Re: That's not backwards..

      That's no moon...

  10. Terry 6 Silver badge

    The real filter seems to be easy to evade

    The one where people see an email and think, "Hmm, looks dodgy". It's so badly designed, apparently.

  11. Anonymous Coward
    Anonymous Coward

    How long did it take the Editor to write that title?

    RC=0 stuartl@vk4msl-mb ~ $ hexdump \

    -e '8/1 "%02x ""|"" "' \

    -e '8/1 "%_p" "\n"' \

    /tmp/title.txt

    73 70 c9 b9 c9 90 ca 8d| sp......

    ca 9e c9 94 c9 90 42 20| ......B

    77 72 69 74 69 6e 67 20| writing

    69 73 20 73 70 61 6d 6d| is spamm

    65 72 73 27 20 6e 65 77| ers' new

    20 6d 61 69 6c 20 66 69| mail fi

    6c 74 65 72 20 61 76 6f| lter avo

    69 64 61 6e 63 65 20 74| idance t

    72 69 63 6b 0a | rick.

    Very cute.

    1. ElReg!comments!Pierre

      Re: How long did it take the Editor to write that title?

      Tech site. Pro'lly was faster to implement than to come up with.

    2. paulc

      Re: How long did it take the Editor to write that title?

      ʎɹǝʌ ʎןʞɔıbn' ʇnsɾ ɐ ɹǝʇʇɐɯ ɟo ƃuıʇsɐd ʇı oʇuı ɐ ɹoʇɐɹǝuǝƃ ǝƃɐd ou ǝɥʇ qǝʍ˙˙˙

  12. Mage Silver badge

    Meh

    opening random email attachment no matter what it is called is stupid

    1. Charles 9

      Re: Meh

      Even if it appears to come from a colleague? That's the point behind spear phishing.

  13. Rick Giles
    Linux

    Odd...

    I don't see any backwards text. It only shows up as EEEB with some weird accent marks above the E's.

    Plus, don't use an email program that renders HTML. That's probably the second most stupid thing you can do (with running Windows as the first).

    1. ElReg!comments!Pierre

      Re: Odd...

      "Plus, don't use an email program that renders HTML. That's probably the second most stupid thing you can do"

      I use an email reader that renders HTML... but I do tell it to not do so. It nicely translates the bold to *bold*, the italics to /italics/ and the <span style="text-decoration:underline;"> underline </span>* to _underline_ for me and that's it. I do sometimes miss out on the "included the latest 10-page memo (relevant line in red)" type of message, and the tables directly pasted from MSExcel to MSExchange are often mangled, but it's well worth it.

      *Hu? That was supposed to work... well, you get the idea

    2. Ken Hagan Gold badge

      Re: Odd...

      I fail to see why rendering HTML in an email client is any more stupid than rendering HTML in a web browser. Given a sane rendering engine, both are safe. Given a reckless rendering engine, neither is safe.

      1. Rick Giles

        Re: Odd...

        "I fail to see why rendering HTML in an email client is any more stupid than rendering HTML in a web browser"

        It's easier to get folks to click on a link in an email which makes spreading nasties around.

  14. ElectricRook
    FAIL

    NP 4 Bayesian filtering.

    Bayesian filtering doesn't rely on some pointy headed Sysadmin it builds its own lists based on machine learning. Backwards text will carry high spam flagging.

  15. Dan Paul

    Spam Filters & Email programs are seriously lagging

    It's about time that ANY email program became infinitely configurable with spam filters based on specific whole or partial words, ASCII characters, file extensions, domains, IP addresses and ranges, country codes, language, font, Tld, etc.

    They should have the ability to see, read, display and filter the complete email message including raw headers.

    Email programs should have all forms of encryption/decryption built in and not require browsers, addons or plugins.

    HTML emails should be able to be scanned for booby trap code, script, cookies or links by the native email program not just the AV.

    Text emails should have some better display and formatting options especially when converting from HTML emails.

    When someone can come up with that kind of capability, the Internet will flock to their door.

  16. Anonymous Coward
    Anonymous Coward

    Extension hiding should be BANNED.

    Hiding a file extension... when, ever, ever, EVER, ANYONE, would think it was a good idea??? For pete's sake, it is the most dumbfounded idea since Autorun. Autorun, at least, served a purpose, and could be disabled.

    Not showing the file extension is infinitely stupid, inherently dangerous, and causes more confusion than it solves. I had more than a few dozen machines infected BY THAT METHOD.

    I hereby ask that we SUE every OS distribution that even remotely tries to disable extension exhibition by default. 100 currencies per violation, per day, until properly patched version is available. The currency to be adopted is the one with the highest face value when compared to any other in which the OS can be sold or licensed. (I believe Bitcoin is the highest face value today?)

    Hiding the file extension only helps to spread malware. There is no other practical reason to do that.

    On the other side of the range, a file that reads "file.spreadsheet" is perfectly recognized and could be universally interpreted. "File.textdocument" and "File.presentation" are equally self-explanatory.

    Would you run a file named mytext.virus? Mydocument.executable?

    By the way, try to rename anything to "anything.pif" and try to rename it back. Hint: be sure you can delete the file before attempting.

    1. Terry 6 Silver badge

      Re: Extension hiding should be BANNED.

      I agree to that basic premise. I never saw the point of it in Windows, and always opt to show it. Sometimes you just need to know what kind of file you are looking at. But then it's only part of the same view of how users should work that puts files into virtual folders (my documents etc) and buries the real folders ( and so files) on the C: drive c:\documents and settings\username\etc. even if they have a perfectly good partition reserved for data

      It's sort of trying to pretend that things are simpler than they really are by hiding any trace of complexity, but in a clumsy way.

      1. Destroy All Monsters Silver badge
        Mushroom

        Re: Extension hiding should be BANNED.

        In any case using a "file extension" (something that comes a limitations of MS-DOS FAT filesystem) as metadata in 2014 (in particular, in determining what process should read the file) .... no wonder this "industry" is a joke.

    2. regman1

      Re: Extension hiding should be BANNED.

      Remember, Windows was designed for fucking morons.

      Gates couldn't have a receptionist at a hairdressers panicking because they didn't know the difference between .doc and .exe.

      It needs to be used by morons so we all have to suffer.

      We I don't -- I have used Linux for years -- FUCK OFF Microsoft.

  17. Truth4u

    I dont believe the spam problem will ever be solved.

    The solution is to stop checking your email. Only ever look at it for a specific email then search for that one. Like if you know that site is about to send you a code. Who cares what else is in there? I don't even delete the spam anymore, what a pointless chore. There's a search box in every mail client.

    1. Charles 9

      Re: I dont believe the spam problem will ever be solved.

      So if you get a legitimate but unannounced e-mail from someone, they're screwed since e-mail is the only way they can get the message through?

  18. Col_Panek

    Why not label anything that's backwards or upside down as spam?

  19. This post has been deleted by its author

  20. spamtitan

    will really only affect organisations who do not use a spam filter or use a very basic spam filter

    This technique is not new and was used in the past for email attachments which had their extension obfuscated. This technique has been reported as far back as 2009 https://www.mozilla.org/security/announce/2009/mfsa2009-62.html. What happens is the email presents as the file name.doc, while in fact you are opening a malware anncod.exe file, because the attacker used the direction override after the second ”n”.

    Most commercial business spam filters involve layers of substantial tests that this technique will not evade. For example with SpamTitan this trick will not fool the banned attachment filter for virus scanners. This backward text trick uses a feature in unicode which facilitates languages that are written from left to right. It is used to hide the true name of a file. However the banned attachment scanner pays little attention to the file name and uses other more vigorous methods to identify the file type. Similarly the virus scanners will decode the file and scan it for potential threats regardless of what the file name is.

    Organisations using a spam filter of the calibre of SpamTitan will be unaffected by this by spamming or phishing attempts using this technique, it will really only affect people who do not use a spam filter or use a very basic spam filter with no banned attachment or virus scanning.

  21. Optimist

    I have found that if the display name of the recipient is correct, it is less likely to be spam.

    1. Anonymous Coward
      Anonymous Coward

      Yes, because a spambot couldn't possibly harvest a name and email address from a compromised website you signed up to or a public mailing list archive that you might post emails to.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like