[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
I wonder if the cypher is analogous to the "munging" of urls that is sometimes used. If I recall correctly, the process goes something like this: Original string of characters is translated into Hex, then each pair of the resulting 8 digit Hex code is reversed back into Denary. The 4 resulting numbers are the real IP address. I haven't had need to do it for a while so I might not have that 100% correct. The key to breaking each cypher will be determining where the @ symbol is and also the full stop and working from there. It can be assumed with a high level of confidence that the . will be either 3 or 4 from last, either .com, .uk, etc as every other TLD obeys either a 2 or 3 letter suffix. With the power of today's computers if the search is limited to these two characters it should not take long to run through the possible combinations. example: assume 3 from the end is a dot. Crib is the official list of country code TLDs. That never changes. run through every possibility of what could represent the last two letters. If you come up with a valid TLD try that sequence on the rest of the cypher. There will inevitable be false positives, but even during the war the infant computers were running hundreds of possibilities per second. (For further information on code breaking I heartily recommend "Battle f of Wits" by Stephen Budiansky) Kind regards, Julian On Thu, 2003-07-03 at 11:06, Adrian Midgley wrote: > On Thursday 03 July 2003 00:07, you wrote: > > > > Which made me think that one might send a stream of spoofed > > > "unique log ID references" back to the bastards concerned, > > > devaluing their lists of "live" email addresses. > > > > How? exactly? You'd have to be able to match the spoof ID to a > > listed email address > > The enemy has done that for us, by sending an ID to an address > ... more below ... > > > and presumably therefore know the > > workings of the script that the spammer uses to generate the > > ID. > That is a significant cryptographic challenge, but I wouldn't > rule out people finding it entertaining to tackle. > > There are a _lot_ of cribs available, since we already have the > technical and social means to collect large numbers of spam > emails into one place, this would be a service added to teh spam > black holes and collaborative filters, not something run by only > one site. > > > False ID's would just be dumped by the script upon > > receipt. > > > The generation and verification of the ID takes no more than 4 > > - 12 lines of Perl (depending on how hard you want to mask the > > original 'seed' data) which would take so little time on a > > server that you would find it hard to measure, so bombarding > > the (usually web) server with invalid spoofs isn't exactly > > going to register as a DoS. > > I bow to your knowledge on the time involved. _Valid_ spoofs > though would have the effect I described. The usefulness of the > attack depends on the number of valid spoofs that can be created. > > > I have used this seed masking in Perl and the only real way to > > crack it is the same way as any substitutional cypher - you > > need to get hold of a lot of identical messages sent to > > various email accounts, all using the same cypher pattern AND > > hit it before the cypher pattern changes again. Whilst the > > pattern is in use, A is always g etc. but the next pattern > > changes A to decipher as r and so on. > > I think that quantity can safely be assumed. > > > Unlike the Enigma codes, there's no weak point of sending the > > cypher pattern to a receiver because with spam ID's the > > receiver (the one who needs to validate / decipher the ID) IS > > the sender (the one who generated the ID) - a closed loop > > cypher. As the cypher pattern does not need to be revealed to > > anyone except the sender, each cypher has to be cracked from > > scratch every time the pattern changes. > > Initial settings. > But in spam the volume is very much greater than Enigma traffic. > > > Sounds like more work than is required. Use SpamAssassin and > > install Razor too, then the spam can be reported as verified > > and spam filters all over the internet can be updated. > > If it can't economically be done - automated - then it is not > useful, but it atracts me asa way of striking back, and at the > business quality rather than just the volume of business. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.