home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Spam analysis: example #7
Large number of unrelated web links; encrypted code;
multiple redirection and browser “hijacking;” forged header

Due to the annoyingly excessive length of this spam (nearly 32kBytes of text), I’m only going to post the header and a representative bit of the body:

Return-Path: address hidden
Received: from gutsamail.gutsa.com.mx ([200.57.66.162])
    by mta016.verizon.net
    (InterMail vM.5.01.05.33 201-253-122-126-133-
    20030313) with ESMTP
    id <20030620025951.BQHR7546.mta016.verizon.net
    @gutsamail.gutsa.com.mx>
    for address hidden ;
    Thu, 19 Jun 2003 21:59:51 -0500
Received: from cwia.com ([211.218.55.100]) by
    gutsamail.gutsa.com.mx with Microsoft
    SMTPSVC(5.0.2195.5329);
    Thu, 19 Jun 2003 22:03:17 -0500
Return-Path: address hidden >
From: address hidden
To: a bunch of addresses including mine
Subject: dunzeLook Great-Lose Weight and Inches The Safe, Natural Way
X-Priority: 3
Content-Type: text/html
Message-ID: <GUTSAMAILFrwiZ9rWjA0008485e
@gutsamail.gutsa.com.mx>
X-OriginalArrivalTime: 20 Jun 2003 03:03:28.0324 (UTC)
FILETIME=[85DDB040:01C336D8]
Date: 19 Jun 2003 22:03:28 -0500

<html><head><title>Free FSBO Report Website</title>
<meta http-equiv=Content-Type content="text/html;
charset=iso-8859-1"></head>
<body bgcolor=#FFFFFF text=#000000 link=#FFFFFF vlink=
#FFFFFF alink=#FFFFFF>
<p align=center>&nbsp;</p>
<table width=593 border=1 bgcolor=#BD162B align=center
bordercolor=#BD162B>
<tr>
<td width=681 bgcolor=#0000FF valign=top>
<div align=center>
<p><font color="#FFFFFF" size="6" face="Verdana, Arial,
Helvetica, sans-serif"><b>
Introducing Sta-Slim, an ephedra free, doctor tested
herbal weight loss
Product.</b></font></p>
<div align=center>
<p><b>
<font face="Verdana, Arial, Helvetica, sans-serif"
size="4" color="#FF00FF">Sta-Slim
is backed by a 90 day money back guarantee
</font></b></p>

(remaining 700 lines deleted)

The analysis of this message is pretty lengthy, so I’m going to split it up into chapters.

CHAPTER ONE:
The Case of the Missing Links

How many random website links can you put into a single spam e-mail? I don’t know the answer to this, but the message described here should qualify its sender for some sort of prize. I count an astounding 83 links of the basic “<a href=x>” type.

Of course, the spammer only wants you to visit one of them: the link he uses to sell his diet nostrum. He also has a remove link that you can visit should you wish to add your address to his “laundered” list in order to get more of his spam. This leaves 81 links sitting there taking up space. You’d think that a web page with 83 different links on it would look cluttered as hell. In fact, it does not. This is how the message body looked when I viewed it with Microsoft Internet Explorer for Mac OS X:

OK, so we see the sell link and the remove link below it, but where did all those other links go? They’re there, allright, just hidden. The spammer has reduced the size of the anchored text to HTML size “1” (the smallest of the standard text sizes), and has made it the same color as the blue background. In Internet Explorer, these links are totally invisible, but they would still work if you knew where to touch them with the mouse. In my other browser, Omni Group’s OmniWeb for Mac OS X, the links appear as a series of tiny white dots all over the blue field.

After about thirty seconds of scanning the spammer’s HTML, I managed to crack his <sarcasm>ultra-secret coding conventions</sarcasm> and change the background color of the two tables. Now see what the page looks like:

Aha! There’re all those little buggers! Note that most of the sales pitch has disappeared because it was rendered in white (the same as my new background color).

CHAPTER TWO:
Eschew Obfuscation? Yeah, Right!

It’s bad enough that this message has 83 links in it: it’s worse when each one of them is disguised to a fare-thee-well.

Let’s take a look at a representative example of one of those links:

<a href="http://
10111001100100101001010101010101010101001011001010011001
10001010101001010101001010100101001010101010011001101010
101001010100101001100101010101010101011011010011100110
@
%77%77%77%2E%6E%6F%74%75%6E%67%2E%6F%72%67">
<font color=“#0000FF”>Click Here</font></a>

Yup, there are 82 other links pretty much just like this one (that’s how the message gets to be nearly 800 lines long -- about 16 pages of printed text -- in my text editor). Notice that the spammer has used the old URL user-ID field dodge (the long string of ones and zeros in brown); web servers will simply ignore this string since user IDs are not required for public web services. The actual host name (in blue) has been escaped using the “%nn” notation for URLs (where “nn” is the index in hex of a printable character); a trip to samspade.org’s decipher tool gives this address as “www.notung.org” (a political website based in Hong Kong, which appears to have nothing to do with the spam).

Of course, hitting SamSpade 83 times to decode each link would get a bit tedious, so for this heavyweight job I cobbled together a little Perl program that went through the whole message, hacking off the user IDs and unescaping the target host names:

#!/usr/bin/perl
open INFILE, $ARGV[0]
    or die "can't open $ARGV[0] for input\n";

while ($line = <INFILE>)
{
    # detect a link
    next unless $line =~ /<a href=\"http:\/\/\d+@/;

    # hack off user ID
    $line =~ s/\/\d+@//;

    # URI-unescape target host name
    $line =~ s/\%([a-fA-F0-9]{2})/chr(oct("0x$1"))/eg;

    # extract host name from link and print it
    $line =~ /\"(.+)\"/;
    print "$1\n";
}

For the record, then, here’s a complete list of all the links in the order in which they appear in the message. The sell link is highlighted in red, and the remove link in blue.

http://www.zhengxing.com.cn/Banhen/B001.htm
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://soccomhk.in2000.com
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://soccomhk.in2000.com
http://hk.geocities.com/lovegillgill
http://www.zhengxing.com.cn/Banhen/B001.htm
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://www.zhengxing.com.cn/Banhen/B001.htm
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://www.zhengxing.com.cn/Banhen/B001.htm
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://sozana.netfirms.com << the sales link
http://hk.geocities.com/lovegillgill
http://www.zhengxing.com.cn/Banhen/B001.htm
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://soccomhk.in2000.com
http://www.blues.ru
http://www.sao.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://soccomhk.in2000.com
http://www.blues.ru
http://www.sao.ru
http://www.notung.org
http://hk.geocities.com/lovegillgill
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://soccomhk.in2000.com
http://hk.geocities.com/lovegillgill
http://www.zhengxing.com.cn/Banhen/B001.htm
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://www.zhengxing.com.cn/Banhen/B001.htm
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://www.zhengxing.com.cn/Banhen/B001.htm
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://sozana.netfirms.com/kear.htm << the removal link
http://www.zhengxing.com.cn/Banhen/B001.htm
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://havanaman.netfirms.com/rkev.htm
http://soccomhk.in2000.com
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://soccomhk.in2000.com
http://hk.geocities.com/lovegillgill
http://www.zhengxing.com.cn/Banhen/B001.htm
http://www.blues.ru
http://www.sao.ru
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://www.zhengxing.com.cn/Banhen/B001.htm
http://hk.geocities.com/lovegillgill
http://www.notung.org
http://www.zhengxing.com.cn/Banhen/B001.htm
http://www.blues.ru

Now, we see that a few “dummy” links are repeated over and over again to fill out the message. A sampling of these sites revealed that they seem to be personal, political, or social web pages, many in the Chinese language and hosted on Chinese servers; some haven’t been updated in a while, and others aren’t reachable at all. None seems to have anything to do with the miracle diet aid that spammy’s selling.

What the hell is spammy up to here? Obviously, camouflage. Your average spam-fighter, confronted by this pile of seemingly undecipherable links, will probably just give up. Even if he does decide to start from the top and poke around a bit, he’ll have to work his way through 24 bogus links before getting to the sell link. If he decides to feed the message to SpamCop, it will give up after the first few links (when it hits an arbitrary upper limit to the number of links it will process per spam), and probably won’t detect the live ones. If the spam fighter simply reports everything he sees, he’ll be filing 80-odd bogus reports (most of them will go to mainland Chinese providers, so they’ll probably go in the bit-bucket anyway).

CHAPTER THREE:
Where Does Spammy Want You to Go Today?

I normally confine my snooping to spam mail, and don’t fool much with spam websites, but this particular message was so annoying that I decided to employ a little low-grade hackery to see what might be going on. What was going on, as it happened, was very complicated.

When you follow the sell link given above (http://sozana.netfirms.com), the plan is for you to get redirected from there to another website (hosted in the US) where the actual pitch is delivered. Following this tricky trail proved to be difficult enough, but it was made more so by the fact that many of the spammer’s tricks were, as the English say, “too clever by half,” and they didn’t work properly for me. However, since I’m very much in need of an Ephedra Free, Doctor Tested Herbal Weight Loss Product, I pressed on in the face of adversity.

When I tried to visit the sell link by clicking on it from the web page display, I got a “host-not-found” error because the browser did not want to unescape the mangled URL; I am not sure why the URLs didn’t get unescaped, but I can at least feel happy that much of the spammer’s intended audience would be unable to reach his site.

Unescaping the URL by hand and then entering it into my OmniWeb browser, I reached a page that contained a bunch of encrypted HTML:

<html><center>
<table height=0 width=596 border=0 cellpadding=0 cellspacing=0>
<tr>

<td valign="top">
<a href="http://www.netfirms.com"><img border="0" src="/nf-images/webhostingbanner.gif"></a>&nbsp;
</td>

<td valign="top">
<a href="http://www.netfirms.com"><img border="0" alt="Free Web Hosting by Netfirms" src="/nf-images/freewebhosting.gif" width="120" height="60"></a><br>
</td>

</tr>

<tr>

<td colspan="2" align="center">
<img border="0" src="/nf-images/freewebhosting.webhosting" width="1" height="1" alt="Free Web Hosting by Netfirms"><br>
<a href="http://www.netfirms.com"><font size="2"><a href="http://www.netfirms.com">This site is hosted by <b>Netfirms</b> Web Hosting</a></font></a>
</td>

</tr>

</table>
</center>

<head><script>eval(unescape('%66%75%6E%63%74%69%6F%6E
%20%6D%28%73%29
%7B%76%61%72%20%63%2C%6E%2C%7A%2C%69%3B%7A%3D%27%27%3B
%69%3D%30%3B%77%68%69%6C%65%28%69%3C%73%2E%6C%65%6E%67
%74%68%29%7B%63%3D%73%2E%63%68%61%72%41%74%28%69%29%3B
%20%69%66%28%27%75%27%3D%3D%63%29%7B%63%3D%27%25%27%2B
%63%3B%63%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%31%29
%3B%63%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%32%29%3B
%63%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%33%29%3B%63
%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%34%29%3B%6E%3D
%35%3B%7D%20%65%6C%73%65%7B%63%3D%27%25%27%2B%63%3B%63
%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%31%29%3B%6E%3D
%32%3B%7D%7A%2B%3D%63%3B%69%3D%69%2B%6E%3B%7D%72%65%74
%75%72%6E%20%7A%3B%7D%20%66%75%6E%63%74%69%6F%6E%20%65
%28%73%29%7B%72%65%74%75%72%6E%20%75%6E%65%73%63%61%70
%65%28%6D%28%73%29%29%3B%7D'));
eval(e('66756E6374696F6E
2064286F73297B766172206B65793D22446563
727970744954223B7661722064733B64733D27273B766172206B70
2C73702C732C6B632C73633B206B703D303B73703D303B7768696C
652873703C6F732E6C656E677468297B73633D206F732E63686172
436F64654174287370293B6B633D6B65792E63686172436F646541
74286B70293B20696628282873635E6B63293D3D3339297C7C2828
73635E6B63293D3D3932297C7C282873635E6B63293C3332297C7C
282873635E6B63293E3132362929207B733D537472696E672E6672
6F6D43686172436F6465287363293B7D656C73657B733D53747269
6E672E66726F6D43686172436F6465282873635E6B6329293B7D20
64732B3D733B6B702B2B3B73702B2B3B6966286B703E3D6B65792E
6C656E677468296B703D303B7D72657475726E2064733B7D206675
6E6374696F6E2064692873297B733D642873293B646F63756D656E
742E777269746528756E657363617065286D28732929293B7D'));

/*EncryptHTML*/</script><script Language='JavaScript'>
di('w&UJNDBDbCV&@IBD{dvUP1OHB|buSWA<BD{dvUQBJ3@D`qPWFHB
D}lqQVFL@FD`qPRGLDM|bw!Q@NBB|
brRQDLGG6lvWQBOCBFbERWDLF1~`w!Q@J@GBftPVGKD7zDvRUCOBBFcq
RWA8FF6CrTU7O2F~fvV&@IBD{dvUP1NDBpcpS
DLC1}lrTTDOEFybuWSD<FM6grPQBODBxc}V
@?G@6msQU1OEGEftWS@IBDzCqVWALB@patPW@ID7}ep WELE@x`sQVA=
BF}ArTTDOAAzbwRQD@GD~`vWP7I4DAgCWR@=
B0{dpWUGOGBpbEUDB8F16asQTAOCBxctSV@IC0{dvWUJNDC}ctV
"@?B26FwUPCO3GxbFVSAHCE6Cr&U4J@GxguS
D:CEzdr#PBO6BFgtVRD:CD6Fr&
PCO3BFgtVRD:B16ErPTFK6BBbqRU@?GM6asVQ4O3BpbES!@<
FL~`r!Q@J2FyfFW%@IGG6asQQBNIBFcqRQ@IFF~fr#TENCB|
cvWSEIFE6crPTAI4DAbqR[EIF76FsWUGNBFygDWS@KFL~`sQTBJ1FFfF
S%AICE6CwTU4J@GxguS
D:F2zdwTPCO3BCguVSD?CD6Fr#PBJABCgtS%D:CE6Cr#PBJABCfES&
DLG@{FrBUGNFFFc}SVEJB26Cr9U7O2FEb|RWD=BFzBt!S3NEBEbBS&
D?GC6EvUP6K@F{b|RWEMGDzAv#Q4O6GyguS
AHF2zdwTPCO3BCbFVSAHCE6Cr&PCJ@BFgtS%D?CDzer&PBO6BCguS
D?CDzer&Q7O5B|cpW%D;FA~bv#TKOECzfFS D@F16Bv UJNDBDfvV!B=
@5yDt$Q4K6Fy`pSVEMFA~fr!UKO5B|ftRWDAFA{dsUU4N@C|
ctWSENFM6ErQU4NGFyctRQD?GD6asWTFOIB|
cwUDB8B2{FvUU4N@C}b}S%D<
GG{dr9U7OCBCcqSWDLC5{dsQU4N@FCftS DLFB~`v&QBNDBFbFS
DKFE~fsVQ1K@CzbwRQD?F76CrWUCNBCzfCUDB8B2{FvUU6OEBEcqSQDH
GF{CvUU1O6BzbuRWD@F26Ev&QBNCC}buRWELGG6frTT@K3FybuS&
DMBD~frPTAOICAbuSQD:FAyDt$S6I1C~b}S&DMF2~csUT@O6CycwWSA=
BD{fsQU4N@GDgtW
D:FA6bsQP6J@FCcpS%D?F76frTT@NCGDbES%@:GG6gsWU4O3BCbvSREK
GGzDs9UGNCFCbDSVD<GA6frTT@J4BEbFW D:F26grTTFOIBFbEVDD<
F2{CsVTFOAC}cqRPDKFE~fw!U7O6FCcvSVEJFM~ArTU@O3B|gDS&
D?B76bsPU1O3CzbwRQDLFA6Ew!TKOECzfvUDB8B6{dvWQ1NGBpbpRWDA
C0{fvUQ0K@CzbwRQDLFA6Ev TEOIB}cpS[@IB6{dvWQ1OHB|
b}STDAG@zDvWQBK2FycwSPEKFA6ar Q7OHB|
b}STDAG@zBt!S3I4DAbERP@IC0{dv]U7OAC6b}STDHG@6FsWQ7OACyct
Q&DHF06avUP6J4FyfsQ&DLG@~grVUCN@B|
fsWZA;@0yAr9UGK@GDftW[D<FE~br9UEOAC}bFRQ@<
FE~dsUW7OABDbqWSA=
C0{dvRW6OIBzcvS%EJF26bsQQBMIBEcpSVEKF16asQQBMECqctS
D?GF6asWQEKIGBdDU"ELGF6CvUP6K@FqfuS&EJBD{bvUQCOIB|
f}WSA?BD~ar U0O5BFcsS&
@IC5{dv]QBO5CzftV%@IF16asQTAOCBxctSV@IC5{drPTJN@BCbFRQDL
GF{mwBS6I1C~b}S&DMF2~cv U4N@B|bEW[ELGF6Cv&
QBKBCybFRSELGD|
drTUEOEF{fCWSENFM6ErQU4NGCycvS%EIGG{mwBS6I1FFfFWSFLF16`v
UQ6K4GEdDU"A:B2~grVT@OICycpV&@IBD{dvUQBK@GCfFS[DLFE6`w
QBK@FyftV DKF26`s9P7K@FyftWSA:GG6gsWUKN@C}ftS
DHF16csPUCOGB|gDQ"DHGB6eqVUANBBpctRWA<FB~ar UANDBpbFS&
@IF@6Dv]QKN2C{bqRWELGF6EvUUDOABCcwSVA;G0{drSTGO5BzcpSZD?
F1{drQTBKHB|
f}R!D@FB{lrPQ7NGBqb}SPDAC0zDwTQKN2C~gDRTD@F16`r#TEJ2C~fE
RQDLF76arTTAOE@|crSVD<G@~gv]WGNFB|bERW@<
D0}FqPVAME@D`FPUFLBMzBsRQ7O6BEbDS%ELGG6ar!U4NFB|gDS&
ELF76CwBT6N4FybrRVD<FG~`r9U4O5FybpSR@ABM~BsBUCO3B|
cvRW@ABF|`r]UKNCFybrRVD<
FG~`r9U4O5Fyb}RP@IF@6msVUCOBBCbqSW@<BF{mwBT@OEC}cqRQD<
BD6brTU1NCB|gBRDE=BD6bsPU7OCC}b}S%D<
BD6`rQQJOEFpcBSZDOBL6av TEOHBpbwS[A=C0zgv9T0NBB|
cpRVEKF1{drQUCKHFpgBRDE=
BD{drSTGO5BzcpSZD?F1{drVU6KHFpcBS[DNC06asSUGO5C}fESQELG@
~`r#U7J2BpbrW[DAFCzDw!P@N3CCb|STA=C0zgv9UFOAFqf}V!E=
BD{drQP6ODBFbwRVD=FA6EsQP0NGGDcsSZD<F@6FsRP0NFBzgDSW@<
FE6Cr&P0NAB{gDSW@<FC6asQWGO3B|bDSVD<
G@}fs9WKODGBftWSD@FB{lsSUAKICBb}SU@AGE6fv9T0ODFEbFS&
DJF26EsQUGNHC}bDSVD<GAzDrQUCJ2B}fES%D<GG6ar&
UGOCC}cwRWDHGF~`w!UFO4CDbqS
EJFA~BrQQ7O6BEbDS%ELGG6arQU4NGBEgDSPD=
C6~Ds!QBK@BpbrW[EHFF{bvSQCNFBzf}R!DMB16Fr U6O6C|
cwSVDMF2~cr P6ODBDgBSW@<
F26Er!U4NECzbqRVEIC06`rQP0ODFEbFS&DJF26EsQUGNHC}bDSVD<
GAzDrQU6J2CDftWSD@FB{lrQQ7O3Bxc}SVEKGG{msBTEJ4C~b}S&
DMF2~cwBTEK5BzbuRSEMGA~frPWGNFB|
bERWEJBL6asSUGO5C}fEQDF?EA|gpPVGL@CCbqRUDLF1~`v W6M6A|
awQVFMD2|cp QKJ2C~fES%D<F06FsPTAOEB}bFRTD<
C06`rQP0NGFEbFS&D=F2~asVUGNECygDSWEIC6~Dw&
Q4NCBzcvSZEIG@zEvUP1K6B{bFSWE@C1{dvUQBK@GCfFS[EMF06Cw
QBK@')
;</script></head></html>

This web page is particularly convoluted: first, the browser has to unescape one block of JavaScript (highlighted in blue) in order to obtain the JavaScript code used to unescape the next block (highighted in purple), which gives you more JavaScript to decode the payload (highlighted in green). With a bit of patient work over a JavaScript console, and a couple of uses of the alert box trick I used in sample analysis #5, I managed to tease out the following HTML for the web page:

<html>
<head>
<META HTTP-EQUIV=“refresh” content="0; URL='about:blank'">
<title>Have a nice day</title>
<SCRIPT LANGUAGE="JavaScript">

<!-- Begin

netscape = "http://o01l1o011llo011ll10o0oo01l0ol1lo01l.net/
kev/yes/link.htm"; // set your browser pages

explorer = "http://o01l1o011llo011ll10o0oo01l0ol1lo01l.net/
kev/yes/link.htm";

unknown = "http://o01l1o011llo011ll10o0oo01l0ol1lo01l.net/
kev/yes/link.htm";



// Determine the popup window properties

// options include: top, left, toolbars, scrollbars,

// menubar, location, statusbar, and resizable



windowprops = "top=0,left=0,toolbars=no,
scrollbars=yes,menubar=no,
location=no,statusbar=no,
resizable=no,fullscreen=yes"
+ ",width="
+ screen.width
+ ",height="
+ screen.height;



ns = (navigator.appName == 'Netscape');

ie = (navigator.appName == 'Microsoft Internet Explorer');

url = (!ns & !ie) ? unknown : ( ns ? netscape : explorer);

window.open(url, "popupPage", windowprops);

// End -->

</script>
</head>
<body>
<script language=JavaScript>
function dm(){return false;}
function dp(e){
if(e.which==1)
{
w=window;
w.releaseEvents(Event.MOUSEMOVE);
w.onmousemove=null;
}
}
function da(){
{
alert("This function is disabled.");
return false;
}
}
function dd(e){
if(e.which==3){
return da();
}
}
function cm(){
hg=event.button;
if(hg==2||hg==3)da();
}
d=document;
w=window;
vc=d.all;
qb=d.getElementById;
if(vc){
if(qb){
d.oncontextmenu=da;
d.onselectstart=dm
}
else{
d.onmousedown=cm;
}
}
if(qb&&!vc){
d.onmousedown=dm;
d.onmouseup=dd;
d.oncontextmenu=dm;
}
if(d.layers){
w=window;
w.captureEvents(event.MOUSEUP|event.MOUSEDOWN);
w.onmousedown=dd;
w.onmouseup=dp;
}
</script>
</body>
</html>

The purpose of this page (the portion in red) is to hijack your browser to create a new full screen, unresizeable window with no status bar and no menu bar (so you can’t see where it comes from and can’t control it). If you should happen to linger on this page before the new window is created, then the code in teal is supposed to prevent you from getting to a “show source” command with a right-click of your mouse (this trick seems to work only on Windows; none of my Mac browsers fell for it).

Into this new window is loaded a web page with the peculiar looking (but perfectly functional) URL of:

http://o01l1o011llo011ll10o0oo01l0ol1lo01l.net/kev/yes/link.htm.

Yes, that’s a literal, unencoded URL (probably not one of your more-in-demand domain names, I’m guessing). The registrant data for this URL (using a whois call to whois.parava.net) is pretty sketchy: Mona Wood at “398 Wolmot Road, New Rochelly (sic) New York” or “200 Main Street, Tel Avev (sic) US,” with an administrative e-mail address of “mike776@shaw.ca.”

In any case, at last we’ve reached the sales pitch; your entire screen is taken over, and you have nothing to do but watch a rather ugly shockwave presentation for a diet aid.

You’ll be seeing that pitch, that is, only if you have a Windows machine running one of the correct versions of Internet Explorer. This complicated chicanery works less well to the extent that your setup differs from this. In my own case, the OmniWeb browser actually went immediately to the refresh URL (shown in green, near the top of the page) rather than follow any of the script below it. The refresh URL is actually bogus, so I got an error (the netfirms web server couldn’t find anything called “about:blank”). Even after I patched the spammer’s rather leaky code and switched to Internet Explorer for Mac OS X, I still didn’t get the big full-screen takeover that you would see in Windows (for the record, my Win2000 machine at work did behave as the spammer intended it to).

CHAPTER FOUR:
From Korea, by way of Mexico

Looking at the header, we find that my ISP received this message from the server gutsamail.gusta.com.mx (which does indeed have the IP address 200.57.66.162, so this record appears to be authoritative). The website at gutsa.com.mx belongs to a Mexican construction company, so it may be either that GUTSA is operating an open relay, or else someone at GUTSA’s IT department was picking up some extra pin money for allowing its facilities to be used by spammers.

In turn, GUTSA received the message from a server falsely identified as “cwia.com” (a west-coast multi-state ISP), but the IP address of 211.218.55.100 belongs to Korea Telecom; given the lack of a qualified mail host name, and the fact that the domain name doesn’t match the IP address, I’m guessing we have a forgery here. Anyway, a time zone of UTC-0500 doesn’t correspond either with Korea or with California.

CHAPTER FIVE:
Nobody Leave The Room Until I Solve The Case

OK, what have we got here? A spammer sends a message from a spam-friendly Korean domain by way of a Mexican relay host. The message has a total of 83 web links, all of which are heavily disguised, and 81 of which don’t have a damn thing to do with what the spammer is selling. The message is so bloated that it requires nearly 32kBytes to do what you could do in about 1/16th the bandwidth. In other words, we have about 30,000 Bytes x “N” million mailings of wasted, pointless data floating around the world’s networks just so this clown can sell ground-up lawn clippings as miracle diet drugs.

So paranoid is the spammer that he’s coded himself into a corner; only certain systems will manage to make it all the way to his lame pitch (although, admittedly, he’s optimized it for a very large portion of the net population). Other folks will simply drop by the way with one mysterious error or another. If you do get to his website, he takes over your system and doesn’t let you see where he’s coming from (i.e., his URL) nor does he want you to see any of his code (he’s “triple-encrypted” the portal page on netfirms, and has also tried to prevent you from seeing the code on the actual selling website).

Now, ask yourself: would you put anything in your mouth that came from such a person?

Next example :: Previous example :: Back to sample analyses



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

06173 hits since March 28 2009

Updated: Sat, 06 May 2006