The spoofing or obfuscating of email messages to bypass antispam filters is a very common technique for spammers. Spammers try to obfuscate the email headers or email bodies of messages to evade antispam filters, as discussed in one of our previous blogs.
So far, we have seen the use of non-ASCII characters or special characters that are not seen in legitimate URLs to obfuscate the domains or links in the spam messages. With such obfuscation in place, content-based antispam filters have limited success against such variations.
A few examples of such obfuscated domains are:
• example com
In the recently observed spam sample, spammers employed a new URL obfuscation technique. In this tactic, the invisible “soft hyphen” (a.k.a. shy character) is inserted in the URL at multiple places.
Soft Hyphen (SHY)
The soft hyphen is a graphic character that is imaged by a graphic symbol identical with, or similar to, that representing the hyphen (-). It is used when a line break has been established within a word. In HTML4 standards, the soft hyphen is represented as “­”. The shy character is ignored by many browsers (for example, Firefox 2 ignores this character), unlike in Microsoft Office documents and in a small number of browsers in which the shy character visible and is treated as a normal hyphen.
Below is an example of URL obfuscation using the soft hyphen:
Since the shy character is ignored by many Web browsers and email clients, to users the obfuscated URL is seen as a normal clickable URL and clicking on this link will direct the user to a spam Web page.
Although obfuscation techniques such as this one evade URL-based antispam filters, Symantec is protecting their customers with advanced content filters and signature technologies. As always, Symantec recommends having antivirus and antispam solutions installed—and don’t forget to update your signatures regularly.
Note: Thanks to Paresh Joshi for contributed content.