Fuzzing E-mail Filters with Generative Grammars and N-Gram Analysis

Phishing attacks remain a common attack vector in today’s IT threat landscape, and one of the primary means of preventing phishing attacks is e-mail filtering. Most e-mail filtering is done according to a either a signature-based approach or using Bayesian models, so when specific signatures are detected the e-mail is either quarantined or moved to a Junk mailbox. Much like antivirus, though, a signature-based approach is inadequate when it comes to detecting zero-day phishing e-mails, and can often be bypassed with slight variations in the e-mail contents. In this paper, we demonstrate an approach to evaluating the effectiveness of e-mail filters using a fuzzing strategy. We present a system that utilizes generative grammars to create large sets of unique phishing e-mails, which can then be used for fuzzing input against e-mail filters. Rather than creating random text, our approach maintains a high degree of semantic quality in generated e-mails. We demonstrate how our system is able to adapt to existing filters and identify contents that are not detected, and show how this approach can be used to ensure the delivery of e-mails without the need to white-list.