Cenzic 232 Patent
Paid Advertising
web application security lab

XSS Keyword Used To Defeat Baysean Spam Filters

I was pretty amazed when I read this, but it is starting to make more and more sense the more I think about it, but “geek speak” is being used to defeat Baysean Spam filters. According to MessageLabs (who I happen to think is one of the best managed anti-spam services out there) using simple keywords can help reduce the likelyhood of something being caught as spam. And get this, one of the keywords mentioned is “XSS” of all things!

Like I said, it sorta makes sense when I started thinking about it. One of the most bizarre phenomenon was one time when I was writing a fairly indepth paper on the large scale effects of the 419 advanced fee fraud (if you don’t know what that is click here). While I was writing the fairly in depth technical explanation I sent it to a few trusted parties who I wanted to get input from. It never got there. It was impossible to get it to them because it kept getting marked as spam! I had to do all sorts of crazy things to disguise it in transit but still make it show up okay on the other end (basically I had to defeat the spam engine itself) but talk about a hassle!

Certain emails have certain characteristics. An email about cooking has the words “pots” and “spices”. An email about XSS has crazy filter evasion, and HTML markup galore. The heuristics of an email about XSS looks an awful lot like someone trying to evade filters and for the spam engine to not mark it as a false positive it has to tune itself looking for particular words that would whitelist an email that otherwise looked obfuscated or otherwise had a very high or alternately very low level of entropy.

Makes perfect sense! I guess the spam engines need some tuning now as XSS isn’t a marker of something particularly good or particularly bad as it turns out. I’ve seen the exact opposite thing happen where services have denied requests that have contained the word “XSS” in them. Talk about poor design - all you have to do is not use that word and you’re back up and running. XSS strikes again, in the most unlikely place!

Comments are closed.