home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Spam analysis: example #4
forged header; obfuscated HTML body

Here, we have a case in which the spammer has attempted to hide the contents of his message from content-based spam filters by inserting bogus HTML tags. This tactic was rampant during 2003-2004, but most spammers have since moved on to other techniques (possibly because this trick doesn’t work very well anymore at keeping the spam from being caught by most filters).

As you may know, HTML markup consists of normal text with embedded “tags” that are enclosed in pointy brackets ("<...>") to control the document structure, text formatting and other features. Since there are lots of different tags out there, not all of which are understood by all web browsers, the normal practice is for a browser simply to ignore tags that it doesn’t recognize. Thus, a spammer can enclose most anything, including gibberish, in pointy brackets, and chances are your browser will simply ignore these bogus tags and render the text around them.

This is the trick employed by this penis enlargement spammer, who apparently intended to bypass content-based filtering (since just about every word longer than two letters is interrupted by a bogus tag). For convenience, I’ve reformatted the message, “whiting out” the bogus tags (using pale blue), so that you can see the actual message text by reading around them.

Return-Path: < >
Received: from mta007pub.verizon.net (HELO mta007.verizon.net)
   (206.46.170.246) by mailgate.cesmail.net with SMTP;
   15 May 2003 04:06:27 -0000
Received: from aol.com ([218.109.143.90]) by mta007.verizon.net
   (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with
   SMTP id <20030515040626.QGMC25851.mta007.verizon.net@aol.com;
   Wed, 14 May 2003 23:06:26 -0500
Message-ID:<NGHALLMDHAPLHLHIDFLEIDEHLLAB.
cmcisneros30@officedepot.com>
From: “Carmelo M. Cisneros” < >
To: [several addresses in my domain]
Subject: you must be worried o8d3lb1b5
Date: Tue, 22 Apr 2003 21:35:43 +0000
MIME-Version: 1.0
In-Reply-To: <caa401c30485$ae598e7e$d0234008@e42ga85>
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)

<!-- saved from url=(0022)http://internet.e-mail -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=
iso-8859-1">
<meta name="Author" content="ko">
<meta name="GENERATOR" content="Mozilla/4.7 [en] (WinNT; I)
[Netscape]">
<title>Cool</title>
</head>
<body text="#000000" bgcolor="#FFFFFF" link="#FF0000" vlink="#CC0000" alink="#FF0000">

<center><b><font face="Arial,Helvetica">
Int<k5kjwjq375ia0v3>roducing G<ksijufb2mvz>ain P<kfjatcd2bh512>ro Pen<kvb1dtn2ekxgcm1>ile P<k6j3oae1bcd4>il<kvfbbsc3lq8ry>ls</font<b>
<br><b><font face="Arial,Helvetica"><font color="#000099">
<font size=+1>
NO.1 P<krltczksx8905>en<kd190tk1alqp>is En<kjnodt2iisi0>larg<k332mx13jz141>eme<kmdvkyl2sigq>nt Pi<kixlvzl268dsoh1>ll On The Ma<kvpxnh33583v4>rke<k19i8ps2lqjo>t!
</font></font></font></b> <font face="Arial,Helvetica"></font>
<p><font face="Arial,Helvetica">
* G<kvw360j3mkk>ai<k3ekf6w1wlqa151>n 3<kd4najha9rj1l>+ Full In<kjwvh3lvqqayp>ch<kwpm4292yg35>es In Leng<kvr0cmi3o89ns>th</font>
<br><font face="Arial,Helvetica">
* Ex<k45rcpi3ug9p5f1>pand Your Pe<kuymvqc3fvf3>nis Up To 20<knf7sue3zvxw2>% Th<kjzgcyd123f4ff>icke<kg6d2n122noio61>r
</font><br><font face="Arial,Helvetica">
* St<k8ihzmm2git3mb>op Pre<k42uz132vzhqv>matu<k403n701uwon>re Ej<k2yh3o53zygchy>aculat<kos349j2jfjsyka>ion!
</font><br><font face="Arial,Helvetica">
* Pr<kq632u42b7vyau>od<kwug3g21vx85if>uce St<ka1ij7f3rmoxln>ron<ke61vydpx36121f>ger Er<krnf6j21njn>ecti<kjzak982v21m8c9>ons
</font> <br><font face="Arial,Helvetica">
* 10<kggpdqo3zjupggh>0<k5tgn541mnpyc>% Sa<kysozyf1av33d>fe To Tak<k2d1c9m2gpv>e, W<k4znjkb2zlxj>ith N<kybrvi7tpazdf1>o Sid<kqzkdur2cm0l22d>e Ef<k6cuolf2nxz>
fects</font><br><font face="Arial,Helvetica">
* F<k7nrjkd13ikb>ast Dis<kd23xo83p0wd>tri<k48l2yv4s4ktg>but<k8zsqp72ubv88g>ion Wor<k0c4cma20trxpeo>ldwi<k9roxqj3j1t>
de</font><br><font face="Arial,Helvetica">
* So<ks40txv39g2>ld Ov<km90umz1r8yv>er 1.2 Mi<kppfa0711uq6j>ll<kkd0ug13iytnri>ion Bo<k1w12fb3bhj5>ttl<k3g0605201cm>es!
</font><br><font face="Arial,Helvetica">
* N<k3lzuu8z8je791t>o Pu<kc6kfjt2h97k2y2>mps! No Su<kq7qci73jhlnt33>rge<k1fia273926ip>ry! N<kmvc3nj268hs>o Ex<kmapiuq33tn4z>erci<kjej2ky19lxwvy>ses!
</font><font face="Arial,Helvetica"></font>
<p><b><font face="Arial,Helvetica"><font size=+2>
<A HREF="http://207.156.216.57/tools/zx.html">
PR<kq80os73glyher>OCEED TO OR<kg2lp1i1zjh9v>DER SIT<knfo8ze2kfhfd0>E HE<ks6fghg1hhb>RE</A>
</font></font></b></center>
<p><br><br><br><font face="arial" size="-2">
Cu<k4nvqeh3d2ne>t off fut<kkf8bi8e2ar4>ure p<k6nnplqma8yga1>ro<kvmamdg3r8zx>mos.
<a href="http://ui1.jsuati.com/VLD/unsub/unsub.cfm?">
he<kiqvogpdv21>re</a>.

</body>
</html>

<k9uc7ty3emn>

I have plenty to say elsewhere on the topic of penis enlargement spam, so for now we’ll just say that this spammer must have taken an overdose of Gain Pro that has turned him into one gigantic dickhead.

The bogus-tag trick has become less prevalent these days, perhaps because most spam filters can read around such tags. Spammers are now more likely to lard up their messages with bogus text in plain view (i.e., not as fake tags), and their aim is to evade Bayesian-style filters rather than more basic pattern-matching filters.

As for the header, my ISP accepted this message from a host claiming to be “aol.com”, but which is actually at the IP address 218.109.143.90, which traces back to somewhere in mainland China. Again we have a forged HELO; you’d expect a mail agent that wants to leave you mail to have a fully qualified host name (e.g., “mailhost.whatsis.com”) and not just a domain name, so this example sticks out like a sore thumb. The spammer has forged the from-address and the sending-server message ID to make the message look as though it came from officedepot.com (not the first place one thinks of as a supplier of penis pills).

The order website at 207.156.216.57 was hosted by our good friends at Verio, which in those days was alarmingly spammer-friendly, and still refuses to accept blind spam reports (which have the recipient’s e-mail address expunged, as is done by SpamCop). While Verio’s acceptable-use policy prohibited use of their network for transmitting spam, it contained nothing about the use of spam to advertise websites that it hosts. Still, between the time that I received and reported this spam, and the time that I prepared this page, the website was shut down. The address-removal website at ui1.jsuati.com was hosted by MCI/UUnet in Canada; when I tried to access it, it reported an error.

Next example :: Previous example :: Back to sample analyses



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

06043 hits since March 28 2009

Updated: Sat, 06 May 2006