A guide to spam

What is SPAM? Spam is basically all unsolicited commercial email (UCE) and unsolicited bulk email (UBE) that the recipient does not ask to receive or want to receive. Spam is the Internet version of unsolicited telemarketing phone calls. They are trying to sell something, up their website hits or take your money.

Spammers harvest email addresses by scanning the internet and creating lists for spamming.

Most of us get hundreds of spam messages in our inboxes, and with the tricks that spammers are using to undermined anti-spam filtering software, it is hard to stop. Here are just some of the tricks that spammers will use:

WATCH THOSE LINKS …

Link to Search Engine, instead of Spammers Web site

What it does: Instead of including the URL for a spammer’s web site in the spam message, a spammer will provide a link to a specific search engine query that will return the spammer’s site at the top of the results.

Phishing
Creating a replica of a legitimate web page to hook users and trick them into submitting personal or financial information or passwords.

What it does: Scammers who are phishing trick users into visiting an imitation of a legitimate web page by disguising the true destination of a URL in their messages. They do this by embedding an image that looks like plain text. The image displays the URL of the site that they are imitating. However, when the image is clicked, the user is taken to the scammer’s imitated site.

Redirecting to a different URL

What it does: Instead of just putting, for example, ‘mycheapdrugsite.biz/c3/index.html’ in a spam message, spammers are hiding their destination sites within freely available redirects, such as yahoo and MSN.

What you see is not what you get …

What it does: Use the onmouseover event to change a URL so that, when clicked, the user is taken to an unexpected destination.

Hiding web addresses

What it does: Uses URL encoding to hide URLs. (See also the trick called Enigma.)
Example: %-style: http://%77%77%77%77.3%65%653–%69%6c11%6c%69–3%6c%69%6c%6c.%6f%72%67/ &;-style: http://www.sgc.org/

Enigma

What it does: Uses URL encoding to hide URLs.

Example: http://7763631671/obscure.htm http://0xCeBF9e37/obscure.htm http://0316.0277.0236.067/obscure.htm http://3468664375@3468664375/o%62s%63ur%65%2e%68t%6D

Splitting a web address

What to do: To prevent a URL from being recognized as a URL it is split into two parts with instructions to the reader to put the two bits back together.
Example: type http://www the the following URL in your web browser address bar: .somesite.com/page1/page2/content.htm

Camouflaging Links

What it does: Like Invisible ink, but instead of using identical colours (e.g. white on white), it uses very similar colours.

Example: (The colours 1133333, 123939, and 423939 are chosen to be very similar without being the same.)

Invisible Link

What it does: Uses white text on a white background containing words designed to confuse a filter.

Bogus login

What it does: Uses URL username@host syntax to disguise a URL.

REARRANGING WORDS …

Microdot

What it does: Breaks up a spammy word by inserting a single letter in the middle.

Example:
No cred K it? The looks like No credKit?

Nonsense

What it does: Large nonsense words are designed to subvert CRC-based spam identification.

Example:
crecrephaswukutugucrovazichonuprixisluwephimajoq

No Whitespaces

What it does: Since many languages separate words with spaces, and since many spam filters do the same, this spammer decided that replacing spaces with something else was a good idea.

Example:
DidAyouFknowNyouMcanBgetVprescriptionVmedications prescribedTonlineTwith NORPRIORRPRESCRIPTIONRREQUIRED! WeZhaveztheXlargestLselectionLofNprescriptionsNavailableZonline!
LowestzPrices — NextzDayxDelivery

Random Sized Letters

What it does: Uses very small (size 1) font to hide bogus text. (See also The black hole.)

Black Hole

What it does: Uses font size 0 to break up words with zero width spaces.

Foreign Characters

What it does: Replaces letters with numbers or uses nonsense accents.

Example: V1DE0 T4PE M0RTG4GE Fántástìç — eárn mõnéy thrôugh unçõlleçted judgments

Spaces

What it does: Inserts spaces between letters to make words unrecognisable.

Examples from the wild: M O R T G A G E F*R*E*E V’I’A’G’R’A O*N*L*I*N*E

Splitting Words

What it does: Uses a table to send words through as individual letters that are arranged top to bottom, but read from left to right.

USING HTML ..

Style Tags

What it does: Enclose text within <style> tags to hide it from the user and confuse filters.

Frame Tags

What it does: Using the <noframes> tag, the spammer can hide text and break up words.

Example: Ere<frame><noframes>ywl55</noframes></frame>ctions

Marquee Tags

What it does: Using the <marquee> tag, the spammer can hide text in a tiny, unobtrusive square.

Example: <marquee bgcolor=”white” height=”8″ width=”8″>Did you ever play that game when you were a kid where the little plastic hippo tries to gobble up all your marbles?</marquee>

Title Tag

What it does: This is another way of hiding text in an HTML email by placing it in the <title> which is unlikely to be displayed by the email client.
Example: <title>dinosaur reptile ghueej egrjerijg gerrg</title>

Comment Tags

What it does: Splits words using HTML comments, pairs of zero width tags, or bogus tags.

Examples from the wild:

  • milli<!– xe64 –>onaire
  • Fi</n>nd N</n>ew </n>Fri</n>end</n>s
  • Vi<b></b>agra
  • F<XYZ>r<XXYA>ee

Tags

What it does: Inserts a piece of current news in a bogus HTML tag.
Example: <Despite statements last week from chief U.N. inspector Hans Blix that full cooperation was expected from Iraq, Iraqi Foreign Minister Naji Sabri lashed out at the United Nations in a 19-page letter to Secretary- General Kofi Annan written in Arabic. In it, Sabri repeated previous claims that Iraq has no weapons of mass destruction and that the inspections are just a false pretense for the United States and Britain to attack his country. Sabri assailed U.N. Security Council resolution 1441, adopted November 8, that called for Iraq to give immediate, unfettered access to weapons inspectors. Iraq “is being subjected to terrorism for more than 30 years from international and regional powers,” he wrote. “And Iraq’s under a daily aggression represented in the terrorism of the U.S. and Britain through the imposition of the no-fly zones.” Iraq has shot at U.S. and British aircraft repeatedly in the no-fly zones since they were established after the Persian Gulf War, and coalition aircraft have fired on Iraqi bases in response. In the most recent action, coalition aircraft struck a mobile radar system Saturday in the southern no-fly zone, according to the U.S. Central Command. The Iraqi News Agency said the aircraft fired on civilian and service facilities. After Iraq fired on U.S. and British planes last week, U.S. officials said the attacks constituted a “material breach” of Resolution 1441, which could trigger a meeting of the U.N. Security Council at which the United States could call for military action against Iraq>

Hidden Form Field

What it does: Hiding text by placing it in the name of a hidden form field

Example: Get The <font color=”#FF0000″> LOWE<input type=”hidden” name=gfrtde>ST PR<input type=”hidden” name=zawsxd>ICE </font> On Your N<input type=”hidden” name=plkmju>ew Car September 15, 2003: Another example came in from Darren J. Young that uses the value tag and fills it with a phrase from current events: <input type=hidden value=”The Los Angeles Film Critics on Saturday picked ‘About Schmidt,’ the drama starring Jack Nicholson, as the year’s top movie, splitting the two major critics’ awards so far as the 2002 Hollywood movie awards season heads into a pivotal week with more honors ahead.”>

HTML

What it does: Uses HTML entities instead of letters.

Example: &#87;&#97;tc&#104; &#68;ogs &#115;&#108;u&#114;p&#32;you &#110;&#103; &#103;&#105;&#114;&#108;&#115;&#32;p&#117;s&#115;

Javascripts

What it does: Keeps HTML body of email in a Javascript that fires when the email is opened.

HTML Page

What it does: The entire email consists of a small HTML page with an image enclosed in a single hyperlink.

Example: <html>
<img src=”http://www.your-info-station.com/Sla/chalkboard.gif”>
<div><a href=”http://www.your-info-station.com/Sla/eb.php?x=52c”>
<img src=”http://www.your-info-station.com/Sla/pitch.gif”>
</a></html> April 29, 2003: Scott Schram points out that some instances of this are being sent with valid but unrelated text before and after the image.

OTHER TRICKS …

Ratware – Is software that spammers use to automate spam campaigns, coordinate spam services, and generate, send and track spam messages.

What it does: Many spammers use sophisticated ratware to randomize the content of each campaign. This is done to fight content-based checks by making messages unique. Spammers create these messages by adding template variables to the message. The ratware then replaces the templates with content.

Adding Odd Words in Subject Fields

What it does: Adds a legitimate, but odd, word at the far right of the subject line (typically preceded by lots of spaces and tabs). The word is designed to poison a Bayesian filter and alter the spam’s hash value.

Example: Subject: FEATURED IN MAJOR MAGAZINES algorithmic

Two Part Message

What it does: Sends two-part MIME document. The text/plain part contains bogus text. The text/html part contains the spam message.
Example: ——=_NextPart_001_2D3DF_01C29D73.26716240
Content-Type: text/plain;
The modes of letting vacant farms, the duty of supplying buildings and permanent improvements, and the form in which rent is to be received, have all been carefully discussed in the older financial treatises. Most of these questions belong to practical administration, and are, moreover, not of great interest in modern times. Certain plain rules, may, however, be stated. The claims of successors to the late tenant should not be overlooked; it is better for the tenure to be continued without break, and therefore the question of new letting ought rarely to occur.
——=_NextPart_001_2D3DF_01C29D73.26716240
Content-Type: text/html;
<p><b><font face=Arial>Now is the perfect time to get a mortgage, and we have a simple and free way for you to get started.</font></b></td> September 15, 2003: This trick seems to be getting more common.

 

Share and Enjoy !

Leave a Comment

Your email address will not be published. Required fields are marked *