Legend:  new window    outside link    tools page  glossary link   

Spam analysis: example #3
forged header; “title” field in anchor tag

Bootlegged, pirated, or unlicensed retail software, or “warez” (as the crackers call it) or “OEM” (as spammers often euphemistically call it), is a perennial topic for spam marketing. The trend started a few years ago, when, it became a rage among spammers to advertise cut-price copies of Symantec’s Norton Systemworks software utility; this particular example distinguished itself from the rest with an interesting HTML trick (see the yellow highlight).

From address-hidden Fri Jan 3 01:45:38 2003
Return-Path: address-hidden
Received: from netscape.net ([200.168.1.15]) by mta001.verizon.net
   (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with SMTP
   id <20030103064620.LZT17064.mta001.verizon.net@netscape.net>
   for address-hidden ; Fri, 3 Jan 2003 00:46:20 -0600
From: address-hidden
To: address-hidden
Subject: address-hidden SYSTEMWORKS CLEARANCE SALE_ONLY 39.99
Date: Fri, 03 Jan 2003 00:18:11 -1100
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Message-Id: <20030103064620.LZT17064.mta001.verizon.net@netscape.net>

<html>
<body>
<div class=“Section1”><p class=“MsoNormal”
style=“MARGIN-BOTTOM: 12pt”>
<span style=“FONT-SIZE: 10pt; FONT-FAMILY: Arial”>&nbsp;
</span><font size=“1” color=“#FFFFFF”><span
style=“font-family: Arial”>
IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font></p>
<p style=“MARGIN-BOTTOM: 0.25in; TEXT-ALIGN: center”
align=“center”>
<span style=“FONT-SIZE: 18pt; FONT-FAMILY: Arial”>
Norton SystemWorks 2003
Software Suite Professional Edition<br>
<br>
</span><font size=“1” color=“#FFFFFF”><span style=
“font-family: Arial”>
IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font><span style="FONT-SIZE: 13.5pt;
FONT-FAMILY: Arial"><br>
<u>FIVE</u> Feature-Packed Utilities, <u>One</u> Great Price<br>
A $300&nbsp; Combined Retail Value for Only $39.99!<br>
Includes FREE Shipping! (USA Only)<br>
</span><font size=“1” color=“#FFFFFF”>
<span style=“font-family: Arial”>
IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font></p>
<p style=“MARGIN-BOTTOM: 12pt”><b>
<span style=“FONT-FAMILY: Arial”>Norton
AntiVirusô 2003 (retail $49.95) --</span></b>
<span style=“FONT-SIZE: 18pt; FONT-FAMILY: Arial”>
</span><span style=“FONT-FAMILY: Arial”>
Norton AntiVirusô is the world’s most
trusted anti-virus solution. The sad fact is that
over 50% of all computers
purchased today will be infected with some sort of
virus in their lifetime,
viruses that could potentially destroy your entire
system, costing hundreds
(even thousands) of dollars. Norton’s offers the most
effective and widely
used virus protection to date. Safeguard your computer!
</span><font size=“1” color=“#FFFFFF”><span style="font-family:
Arial">IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font><span style=“FONT-FAMILY: Arial”><br>
<br>
<br>
<br>
<b>Norton Ghostô 2003 (retail $69.95) -- </b>
Norton Ghostô 2003 provides
high-performance utilities for fast and safe system
upgrading, backup, and
recovery. Allows you to backup the contents of your
computer quickly and
easily.</span><font size=“1” color=“#FFFFFF”>
<span style="font-family:
Arial">IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font><span style=“FONT-FAMILY: Arial”><br>
<br>
<br>
<br>
<b>GoBackÆ 3 Personal Edition (retail $39.95) -- </b>
GoBack 3 is the most
advanced system recovery program developed.
Any mistake made, no matter how
crippling to your computer, can be undone in a matter
of seconds by simply
turning back the clock on your computer, restoring it
to a previous/healthy
state.</span><font size=“1” color=“#FFFFFF”>
<span style="font-family:
Arial">
IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font><span style=“FONT-FAMILY: Arial”><br>
<br>
<br>
<br>
<b>Norton Utilitiesô 2003 (retail $49.95) --
</b>Norton Utilitiesô 2003
optimizes your PC’s performance and solves problems
easily. It diagnoses and
solves WindowsÆ problems, tunes your computers’
hard drive for maximum
efficiency, and monitors your PC continuously to
detect and fix potential
problems. You can launch different tools from a single
convenient window, and
run key utilities directly from the CD to save disk space.
</span>
<font size=“1” color=“#FFFFFF”><span style="font-family:
Arial">IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font><span style=“FONT-FAMILY: Arial”><br>
<br>
<br>
<br>
<b>Norton CleanSweepô 2003 (retail $69.95) -- </b>
Clean out Internet buildup
with award-winning Norton CleanSweepô from Symantec.
It improves your PC’s
performance by removing unwanted programs and other
files that waste disk
space-while protecting you from accidentally deleting
important files. Trust
Norton CleanSweepô 2003 for safe, easy, complete hard drive cleanup.</span></p>
<p style=“MARGIN-BOTTOM: 12pt”>
<font size=“1” color=“#FFFFFF”>
<span style=“font-family: Arial”>
IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font><span style="FONT-FAMILY:
Arial"><br>
<br>
<br>
<br>
<br>
&nbsp;</span></p>
<p style=“TEXT-ALIGN: center” align=“center”><b>
<span style=“FONT-SIZE: 13.5pt; FONT-FAMILY: Arial”>
Retail value of this award
winning package:&nbsp; $279.75<br>
Your Price: $39.99&nbsp;&nbsp; free shipping! (US only)<br>
<br>
</span><span style=“FONT-FAMILY: Arial”><br>
</span></b><font size=“1” color=“#FFFFFF”>
<span style=“font-family: Arial”>
IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font><b><span style=“FONT-FAMILY: Arial”><br>
</span><span style=“FONT-SIZE: 13.5pt; FONT-FAMILY: Arial”>

<a title="http://rd.yahoo.com/partner/
2766679/overture/first/OV=1/6/1/computer/“ style=”color: blue; text-decoration:
underline; text-underline: single“ href=”http://www.salesspecials.com/nsw1.htm">
For more information about this limited-time
amazing package, </a><br>
<a title="http://rd.yahoo.com/partner/
2766679/overture/first/OV=1/6/1/computer/“ style=”color: blue; text-decoration:
underline; text-underline: single“ href=”http://www.salesspecials.com/nsw1.htm">
or to place your order, Click here</a>
<br>
<br>
<br>
<br>
</span><span style=“FONT-SIZE: 10pt; FONT-FAMILY: Arial”>
------------<br>
<br>
Opt-Out Instructions:<br>
</span></b><font size=“1” color=“#FFFFFF”>
<span style=“font-family: Arial”>
IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font><b><span style="FONT-SIZE: 10pt;
FONT-FAMILY: Arial"><br>
We are strongly against sending unsolicited emails to
those<br>
who do not wish to receive our special mailings.
You have opted<br>
in to one or more of our affiliate sites requesting
to be notified<br>
of any special offers we may run from time to time.
We also have<br>
attained the services of an independent 3rd party to
overlook list<br>
management and removal services. This is NOT
unsolicited email.<br>
If you do not wish to receive further mailings,
please visit the<br>
link below be removed from the list. Please accept
our apologies<br>
if you have been sent this email in error.
We honor all removes<br>
requests. Submit your remove request at:<br>
<br>
</span></b><font size=“1” color=“#FFFFFF”>
<span style=“font-family: Arial”>
IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font></p>
<p style=“TEXT-ALIGN: center” align=“center”><b>
<span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY:
Arial">http://www.onestopngo.com/unsubscribeme/
</span></b></p>
<p class=“MsoNormal”>
<span style=“FONT-SIZE: 10pt; FONT-FAMILY: Arial”><br>
</span><font size=“1” color=“#FFFFFF”>
<span style=“font-family: Arial”>
IJldiRNu-Lo3m6au-f6AraiqLf6AraiqL-IJldiRNu-Lo3m6au
</span></font><span style=“FONT-SIZE: 10pt; FONT-FAMILY: Arial”><br>
<br>
&nbsp;</span></p>
<p class=“MsoNormal”>&nbsp;</div>
</body>
</html>


IJldiRNu-Lo3m6au-f6AraiqL-IJldiRNu-
Lo3m6auIJldiRNu-Lo3m6auIJldiRNu-Lo3m6auIJldiRNu-Lo3m6au

[23LVhleB87s7C-6Hr56DV2epf-am9cSVBrlJ2uH2Mz8Hlp1RaLB7b]

What’s the deal?

The Norton name is nearly as old as retail computer software itself (and is now among the brands sold by Symantec), so perhaps it is fitting that Norton should have been the first commercial software to get the “warez spam” treatement: during 2002-2003, spammers bombarded the net with ads offering this software at highly suspicious discounts off the list price (popular software like Norton generally doesn’t sell much under list).

I can surmise that if you had sent in your forty bucks, you’d have gotten

Sometimes these (and other) spams point to online ordering sites where you enter your name, address, credit card info, etc. Almost all the time, these lowball operators will proudly proclaim that they’re using “secure technology” but almost as often it can be shown that they aren’t. Not that you’d be foolish enough to attempt to order anything from a spammer’s website, mind you.

Tracing the mail

Before moving on to the featured dish in this spam smorgasboard, we’ll take a look at the origins of the mail. The header shows the usual mail-host name forgery (sigh): the message allegedly was passed to my ISP by “netscape.net” (which, of course, is a forged HELO — a domain name and not a proper mail host name). The corresponding numeric IP address 200.168.1.15 resolves to 200-168-1-15.terra.com.br (using nslookup), which is a Brazilian location (possibly a DSL host used by Spammy to send the mail using direct-to-MX) and certainly has nothing to do with netscape.net.

Disguising website URLs with “title” data

The interesting feature of this spam is highlighted above in yellow; what the spammer is doing here is trying to make his website look to the unwary as if it were hosted by Yahoo. He does this by availing himself of the little-used “title” option to the standard HTML anchor ("<A>") tag. In short, he’s disguising his website (which is actually at http://www.salesspecials.com/nsw1.htm) as:

http://rd.yahoo.com/partner/2766679/overture/first/OV=1/6/1/computer/.

Let’s take a closer look: normally, when you make a hyperlink on a web page you’re writing, you fill in the “href” field with the URL to which you want the link to point. When a visitor to your site loads your page and runs his mouse over the link, this “href” value is displayed in the browser’s status line (usually at the bottom of the window) or in a little “popup” label; this is supposed to help the user decide whether or not he wants to click the link. If, however, you specify the optional “title” parameter along with the “href,” you can type in literally any text you like, even text that looks like a URL, and it will be displayed instead of the “href” value. For example here’s a bogus hyperlink using this trick that actually pops up a new window with my home page, but makes you think you’re going elsewhere (view this page’s source in your browser to take a closer look).

Not all browsers will display the title info, but an unsophisticated user looking at this message in a susceptible browser might see the bogus Yahoo web link and decide that these guys must be legit if they’re hooked up with Yahoo. Unfortunately, they have nothing to do with Yahoo (although they may personally be yahoos), and a closer inspection of that title value reveals that not only is it an improperly-formed URL (the equals sign doesn’t belong), but rd.yahoo.com is used primarily by Yahoo to redirect users to other websites, so it seems unlikely that they’d host any customers or affiliates at this address.

Also worth noting in this message are the frequent cryptic codes, possibly hashbusters, that are rendered in white text (see the “#FFFFFF” references throughout) on a white background so you won’t see them. This is sometimes known as the “invisible ink” trick.

Next example :: Previous example :: Back to sample analyses



 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

07383 hits since March 28 2009

Updated: Sat, 06 May 2006