What is SPAM? Spam is basically all unsolicited commercial email (UCE) and unsolicited bulk email (UBE) that the recipient does not ask to receive or want to receive. Spam is the Internet version of unsolicited telemarketing phone calls. They are trying to sell something, up their website hits or take your money.
Spammers harvest email addresses by scanning the internet and creating lists for spamming.
Most of us get hundreds of spam messages in our inboxes, and with the tricks that spammers are using to undermined anti-spam filtering software, it is hard to stop. Here are just some of the tricks that spammers will use:
WATCH THOSE LINKS …
Link to Search Engine, instead of Spammers Web site
What it does: Instead of including the URL for a spammer’s web site in the spam message, a spammer will provide a link to a specific search engine query that will return the spammer’s site at the top of the results.
Creating a replica of a legitimate web page to hook users and trick them into submitting personal or financial information or passwords.
What it does: Scammers who are phishing trick users into visiting an imitation of a legitimate web page by disguising the true destination of a URL in their messages. They do this by embedding an image that looks like plain text. The image displays the URL of the site that they are imitating. However, when the image is clicked, the user is taken to the scammer’s imitated site.
Redirecting to a different URL
What it does: Instead of just putting, for example, ‘mycheapdrugsite.biz/c3/index.html’ in a spam message, spammers are hiding their destination sites within freely available redirects, such as yahoo and MSN.
What you see is not what you get …
What it does: Use the onmouseover event to change a URL so that, when clicked, the user is taken to an unexpected destination.
Hiding web addresses
What it does: Uses URL encoding to hide URLs. (See also the trick called Enigma.)
Example: %-style: http://%77%77%77%77.3%65%653–%69%6c11%6c%69–3%6c%69%6c%6c.%6f%72%67/ &;-style: http://www.sgc.org/
What it does: Uses URL encoding to hide URLs.
Example: http://7763631671/obscure.htm http://0xCeBF9e37/obscure.htm http://0316.0277.0236.067/obscure.htm http://3468664375@3468664375/o%62s%63ur%65%2e%68t%6D
Splitting a web address
What to do: To prevent a URL from being recognized as a URL it is split into two parts with instructions to the reader to put the two bits back together.
Example: type http://www the the following URL in your web browser address bar: .somesite.com/page1/page2/content.htm
What it does: Like Invisible ink, but instead of using identical colours (e.g. white on white), it uses very similar colours.
Example: (The colours 1133333, 123939, and 423939 are chosen to be very similar without being the same.)
What it does: Uses white text on a white background containing words designed to confuse a filter.
What it does: Uses URL username@host syntax to disguise a URL.
REARRANGING WORDS …
What it does: Breaks up a spammy word by inserting a single letter in the middle.
No cred K it? The looks like No credKit?
What it does: Large nonsense words are designed to subvert CRC-based spam identification.
What it does: Since many languages separate words with spaces, and since many spam filters do the same, this spammer decided that replacing spaces with something else was a good idea.
DidAyouFknowNyouMcanBgetVprescriptionVmedications prescribedTonlineTwith NORPRIORRPRESCRIPTIONRREQUIRED! WeZhaveztheXlargestLselectionLofNprescriptionsNavailableZonline!
LowestzPrices — NextzDayxDelivery
Random Sized Letters
What it does: Uses very small (size 1) font to hide bogus text. (See also The black hole.)
What it does: Uses font size 0 to break up words with zero width spaces.
What it does: Replaces letters with numbers or uses nonsense accents.
Example: V1DE0 T4PE M0RTG4GE Fántástìç — eárn mõnéy thrôugh unçõlleçted judgments
What it does: Inserts spaces between letters to make words unrecognisable.
Examples from the wild: M O R T G A G E F*R*E*E V’I’A’G’R’A O*N*L*I*N*E
What it does: Uses a table to send words through as individual letters that are arranged top to bottom, but read from left to right.
USING HTML ..
What it does: Enclose text within <style> tags to hide it from the user and confuse filters.
What it does: Using the <noframes> tag, the spammer can hide text and break up words.
What it does: Using the <marquee> tag, the spammer can hide text in a tiny, unobtrusive square.
Example: <marquee bgcolor=”white” height=”8″ width=”8″>Did you ever play that game when you were a kid where the little plastic hippo tries to gobble up all your marbles?</marquee>
What it does: This is another way of hiding text in an HTML email by placing it in the <title> which is unlikely to be displayed by the email client.
Example: <title>dinosaur reptile ghueej egrjerijg gerrg</title>
What it does: Splits words using HTML comments, pairs of zero width tags, or bogus tags.
Examples from the wild:
- milli<!– xe64 –>onaire
- Fi</n>nd N</n>ew </n>Fri</n>end</n>s
What it does: Inserts a piece of current news in a bogus HTML tag.
Example: <Despite statements last week from chief U.N. inspector Hans Blix that full cooperation was expected from Iraq, Iraqi Foreign Minister Naji Sabri lashed out at the United Nations in a 19-page letter to Secretary- General Kofi Annan written in Arabic. In it, Sabri repeated previous claims that Iraq has no weapons of mass destruction and that the inspections are just a false pretense for the United States and Britain to attack his country. Sabri assailed U.N. Security Council resolution 1441, adopted November 8, that called for Iraq to give immediate, unfettered access to weapons inspectors. Iraq “is being subjected to terrorism for more than 30 years from international and regional powers,” he wrote. “And Iraq’s under a daily aggression represented in the terrorism of the U.S. and Britain through the imposition of the no-fly zones.” Iraq has shot at U.S. and British aircraft repeatedly in the no-fly zones since they were established after the Persian Gulf War, and coalition aircraft have fired on Iraqi bases in response. In the most recent action, coalition aircraft struck a mobile radar system Saturday in the southern no-fly zone, according to the U.S. Central Command. The Iraqi News Agency said the aircraft fired on civilian and service facilities. After Iraq fired on U.S. and British planes last week, U.S. officials said the attacks constituted a “material breach” of Resolution 1441, which could trigger a meeting of the U.N. Security Council at which the United States could call for military action against Iraq>
Hidden Form Field
What it does: Hiding text by placing it in the name of a hidden form field
Example: Get The <font color=”#FF0000″> LOWE<input type=”hidden” name=gfrtde>ST PR<input type=”hidden” name=zawsxd>ICE </font> On Your N<input type=”hidden” name=plkmju>ew Car September 15, 2003: Another example came in from Darren J. Young that uses the value tag and fills it with a phrase from current events: <input type=hidden value=”The Los Angeles Film Critics on Saturday picked ‘About Schmidt,’ the drama starring Jack Nicholson, as the year’s top movie, splitting the two major critics’ awards so far as the 2002 Hollywood movie awards season heads into a pivotal week with more honors ahead.”>
What it does: Uses HTML entities instead of letters.
Example: Watch Dogs slurp you ng girls puss
What it does: The entire email consists of a small HTML page with an image enclosed in a single hyperlink.
</a></html> April 29, 2003: Scott Schram points out that some instances of this are being sent with valid but unrelated text before and after the image.
OTHER TRICKS …
Ratware – Is software that spammers use to automate spam campaigns, coordinate spam services, and generate, send and track spam messages.
What it does: Many spammers use sophisticated ratware to randomize the content of each campaign. This is done to fight content-based checks by making messages unique. Spammers create these messages by adding template variables to the message. The ratware then replaces the templates with content.
Adding Odd Words in Subject Fields
What it does: Adds a legitimate, but odd, word at the far right of the subject line (typically preceded by lots of spaces and tabs). The word is designed to poison a Bayesian filter and alter the spam’s hash value.
Example: Subject: FEATURED IN MAJOR MAGAZINES algorithmic
Two Part Message
What it does: Sends two-part MIME document. The text/plain part contains bogus text. The text/html part contains the spam message.
The modes of letting vacant farms, the duty of supplying buildings and permanent improvements, and the form in which rent is to be received, have all been carefully discussed in the older financial treatises. Most of these questions belong to practical administration, and are, moreover, not of great interest in modern times. Certain plain rules, may, however, be stated. The claims of successors to the late tenant should not be overlooked; it is better for the tenure to be continued without break, and therefore the question of new letting ought rarely to occur.
<p><b><font face=Arial>Now is the perfect time to get a mortgage, and we have a simple and free way for you to get started.</font></b></td> September 15, 2003: This trick seems to be getting more common.