home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Spam analysis: example #8
Stylesheet link used as beacon

As we have seen in these examples, spammers can use <A IMG> URLs and even named anchors (“<A NAME=...>”) as “web bugs” to signal back to their servers exactly who has been opening their messages. This particular spam provides a new wrinkle: the bogus stylesheet link (see the yellow highlight).

Return-Path: address hidden
Received: from 8.7.150.184.pluckate.info ([206.46.170.121])
   by mta011.verizon.net
   (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
   id <20050101071641.EMCC5181.mta011.verizon.net
   @8.7.150.184.pluckate.info>
   for address hidden ; Sat, 1 Jan 2005 01:16:41 -0600
Received: from 8.7.150.184.pluckate.info (8.7.150.184) by
   sc005pub.verizon.net (MailPass SMTP server v1.1.1 -
   121803235448JY) with SMTP id <2-2134-107-2134-204635-1104563801>
   for mta011.verizon.net; Sat, 1 Jan 2005 01:16:42 -0600
To: address hidden
Date: Fri, 31 Dec 2004 23:14:15 -0800
Message-ID: <1104563655.3129@8.7.150.184.pluckate.info>
From: "Costa Rica Land Sales" address hidden
Subject: New Parcels Now Available Ocean View
Content-type: text/html

<html>
<title>Costa Rican Land Sales</title>
<head>
<link rel="stylesheet" type="text/css"
href="http://costaricaavailableproperties.com/cgi-bin/o.pl?
a funny string" media="screen">
</head>
<body>
<a href="http://costaricaavailableproperties.com
/r/costa/rica.pl?e=same funny string&c=saw&s=R&m=1-5">
<img src="http://costaricaavailableproperties.com/r/c2.jpg" border="0"></a><br>
<br>
<br>
<a href="http://costaricaavailableproperties.com/r/rm.html">
<img src="http://costaricaavailableproperties.com
/r/images/rm.gif" border="0"></a>
</body>
</html>

The cascading style sheet (“CSS”) provides a way for the web designer to define precisely the appearance of elements on a web page, and is much more capable than standard HTML tag formatting (the page you’re reading now uses CSS). The actual “style sheet” is a set of definitions typed in a special text format, and it can be either embedded directly in the web page (using the “<STYLE>” tags or else the “STYLE=” clause of another tag), or placed in an external file and linked to the page using the “<LINK REL="STYLESHEET">” tag, as was done in this spam message.

Yet, what are we to make of an external stylesheet that never seems to get used? That’s what’s going on with this message.

Taking a closer look at the highlighted style-sheet URL above, we see that it calls something called “o.pl”, followed by a long, random looking string (which I have disguised here). Normally, a file with “.pl” at the end is a Perl script (i.e., an executable program), and the presence of the argument after the question mark makes this link smell strongly like CGI. Of course, if you are a glutton for complication, you can use a Perl CGI script to serve a style sheet — but why would you, particularly when you’re trying to “style” a simple e-mail message, and you don’t use any of the styles in the first place?

The suspicious nature of this style sheet link is corroborated by the fact that the very same funny string appears in the link immediately below it (green highlight), plus the fact that the message seems to make no use of the style sheet information (e.g., there’s no real text to be styled, and there are no calls to class styles in the message).

In fact, the point of putting a stylesheet link into this message was not to make a really kewl-looking layout, but simply to create a web bug; even if the stylesheet isn’t used in the message, the stylesheet will still be fetched by the reader’s browser (or mail program) via an HTTP query, and this information (along with the funny number) will be recorded in the spammer’s web server log.

So, the bottom line here is that even if you aren’t sufficiently interested in Costa Rica to click on the link, your personal perusal of this message will be recorded and confirmed to the spammer. Stand by to get more spam.

The header uses the usual forged HELO, and indicates that the message comes to me from 206.46.170.121; a reverse DNS lookup on this address identifies it as mail-206-46-170-121.gte.net, and a whois (to www.completewhois.com) shows that it is associated with Verizon operations near Dallas/Fort Worth airport; it doesn’t seem to be zombie mail (the host name doesn’t look like that of a user machine), but it does look like direct-to-MX. Because the spammer was able to forge the HELO in this first line, I figure that the following Received line (which points to 8.7.150.184 in the level3.net domain) is bogus.

The domain costaricaavailableproperties.com is registered at www.moniker.com with what looks like bogus registrant info; the website www.costaricaavailableproperties.com is at 202.102.230.36 in the Henan Multimedia net block in Mainland China; this single address has of late been a huge haven for a whole beehive of spam websites, apparently shielded from reporting by a deliberately-broken DNS setup. I have read that hundreds of spam domains may have been associated with this one address at one time or another, thanks to the magic of name-based virtual hosting. By the way, the website www.pluckate.info (along with an apparently associated site www.realnewsletters.net) was found at the very same address (it must be crowded in there). The pluckate.info and realnewsletters.net domains are apparently registered to Spencer Wiggins, proprietor of the “National Resource Center” and “ResponseAmerica,” whose name appears in ROKSO as a “partner-in-spam.”

Next example :: Previous example :: Back to sample analyses



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

03979 hits since March 28 2009

Updated: Sat, 06 May 2006