home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Spam analysis: example #2
forged header; beacon URL (“web bug”)

This spam shows an attempt to launder a spam mailing list (that is, to prune out addresses that are undeliverable). In addition to a forged routing header, it also has a hidden beacon URL (sometimes called a “web bug”) that sends my e-mail address back to the originator as soon as I open the message.

Return-Path: address hidden
Received: from bellatlantic.net ([]) by mta003.verizon.net
   (InterMail vM. 201-253-122-122-105-20011231) with SMTP
   id <20020604203237.NNY1302.mta003.verizon.net@bellatlantic.net>
   for address hidden; Tue, 4 Jun 2002 15:32:37 -0500
X-Sender: address hidden (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 5.1
To: address hidden
From: J. Laplace<address hidden>
Subject: Did you get my email?
Mime-Version: 1.0
Content-Type: text/html; charset=“us-ascii”; format=flowed
Message-Id: <20020604203237.NNY1302.mta003.verizon.net@bellatlantic.net>
Date: Tue, 4 Jun 2002 15:32:38 -0500

<p>Hi, did you receive my previous email message?</p>
<p>I sent it 2 weeks ago, but I&nbsp;still didn't get an answer, please check in your old email.</p>
<p>Anyway, I'll send you another copy tomorrow or the day after, you don't need to reply to this email.</p>
<p><img src="http://www.concentrated-pheromone.com/w.cgi?email=address hidden&source=FOT“ border=”0"></p>
<p>John Laplace</p>

If you were to view this message in a typical mail program (particularly a browser mail program), it would look like this:

Hi, did you receive my previous email message?

I sent it 2 weeks ago, but I still didn’t get an answer, please check in your old email.

Anyway, I’ll send you another copy tomorrow or the day after, you don’t need to reply to this email.


John Laplace

... in other words, pretty much like a plain-text message. In fact, however, it is an HTML document (as you can see from all the tags), and contains a nasty beacon URL (which we’ll look at in a moment). It is designed to look like an “honest” personal e-mail, perhaps one that might have been misdirected to me. It doesn’t matter whether I answer it, investigate it, or just throw it away, since if I do so much as open this message in an HTML view, its job will have been done.

Inspecting the header

Bypassing the Return-Path and From addresses (which we can safely assume are bogus), we move straight to the routing:

Received: from bellatlantic.net ([])
   by mta003.verizon.net (InterMail vM.
   201-253-122-122-105-20011231) with SMTP
   id <20020604203237.NNY1302.mta003.verizon.net@bellatlantic.net>
   for address hidden; Tue, 4 Jun 2002 15:32:37 -0500

This is the only routing line, which indicates that we got the spam straight from the spammer’s mouth, as it were. The by-host “mta003.verizon.net” is one of my ISP’s mail hosts, so this looks fine. However, the from-host is identified simply with a HELO of “bellatlantic.net.” As in the previous example, this looks suspicious because bellatlantic.net is simply a domain name and not a full-blown mail host name. Indeed, a reverse nslookup on reveals no information.

[localhost:~] rconner% nslookup
Server: home1.bellatlantic.net

*** home1.bellatlantic.net can’t find Non-existent host/domain

Actually, it’s for sure that this host did exist when the message was sent (otherwise I would not have received it); it may have been shut down sometime between when I saved it and when I actually did the analysis.a couple of months later. This emphasizes the importance of analyzing and reporting spam as soon as you can, so that your reports will be pertinent and effective. In any case, it’s safe to say that this address has nothing to do with bellatlantic.net. This also appears to be another case of direct-to-MX mailing (since it has no message-ID at the sending end).

Inspecting the body

As we noted, this is an HTML message, so we have to check it over very carefully for suspicious or dangerous items. There’s no executable script and no encoded data, and only one external link -- but that one link is a doozy!

<img src="http://www.concentrated-pheromone.com/w.cgi?email=&source=FOT“ border=”0">

This looks like a standrd IMG link, which is used to embed a graphic image in the web page. However, the SRC is not a plain old image file as you’d expect (i.e., it isn’t a file ending in .jpeg, .gif, etc.), but a CGI call. Instead of simply fetching a “static” image file, the spammer is actually calling a “CGI” (basically, a small computer program here named “w.cgi”) and passing it two arguments, one of which is my e-mail address.

Now, including a CGI call in an IMG link is perfectly okay, and not by itself worthy of suspicion; you might do this trick on a website of your own, for example, if you had a program that generated or selected an image “on the fly” based on data you got from the person visiting the site. In this case, however, the CGI program undoubtedly takes the data (including my address) and stashes them in a database or server log somewhere (and probably also in his web server logs), and returns some undetectable image, like a single-pixel transparent GIF. You don’t see this image when you view the message, but it’s there. And, your address is already tucked into the spammer’s database of verified suckers.

Fortunately for spam victims, but unfortunately for this illustration, the server “www.concentrated-pheromone.com” has already been shut down.

What we should learn

We might draw a couple of lessons from this spam. First, make sure you analyze and report the spam as quickly as possible (within a day or two) so that you won’t be wasting your time. Second, and more important, you should be very careful opening any e-mail message or following any links it might contain. In this case, there were no links to follow, but the beacon URL will have done its work silently.

Next example :: Previous example :: Back to sample analyses

 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

06303 hits since March 28 2009

Updated: Sat, 06 May 2006