Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Not Allowing Spammers the Slightest Space

Created: 21 May 2012 11:52:55 GMT • Updated: 23 Jan 2014 18:15:22 GMT • Translations available: 日本語
Paresh Joshi's picture
+1 1 Vote
Login to vote

For anti-spam software, it is quite easy to prevent spam by using content-based filters. So spammers come up with different obfuscation techniques to bypass URL-based filters such as inserting “shy characters”, as we have discussed previously. Recently, spammers have been trying to cash-in on the smallest of gaps that they could find in conventional anti-spam technologies. Spammers are now attempting to obfuscate the URLs in spam messages, either by inserting white space characters of varying sizes or by replacing the conventional “.” (dot) character by “。” (An ideographic full-stop, mostly used in Asian languages)

How did they do it? Let’s take a look at both of these techniques.

Using different size white space characters is allowed in HTML. All languages use spaces to separate words. However, the size of the white space characters in different languages is different (more information).Unicode allows a variety of width for white space characters according to the design of the typeface. The following table shows some of the white space characters:

Spammers are inserting these white space characters into the URLs in a message body in an attempt to evade anti-spam filters. In a normal view, the URL would look like the following image:

Whereas, this is the actual HTML tag for the URL:

Clicking on the link won’t work because of the extraneous white space. However, a curious user may remove the space considering it to be a typo and become victim to the ill intent of the spammers.

The other method of obfuscating a URL is by replacing a “.” with “ 。” . In HTML, “。” is represented by “。” . The following example shows how this works:

This is the actual HTML tag for the URL:

In this case though, as we can see, the browser will treat this character as a normal dot and the original link can be opened. In both of the above cases, spammers are making use of even the slightest of variations in characters to meet their goals. Even after such efforts by “bad guys” to evade URL-based filters, Symantec is protecting their customers with advanced content filters and signature technologies. As always, Symantec recommends having antivirus and anti-spam solutions installed—and don’t forget to update your signatures regularly.