home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Spam analysis: example #10
Forged header; TinyURL abuse

This spam provides an example of the abuse of the TinyURL service in an attempt to disguise the URL of a spam website.

TinyURL (http://tinyurl.com/) is one of those nice little free services that help make internet life so much simpler and more pleasant. Suppose you’ve found an interesting story on the CNN website that you’d like to share with others in an e-mail, usenet, or blog comment message. The URLs from such sites can get absurdly long, and are subject to be mangled by mail or news reading programs such that they become unusable.

What to do? Simply cruise over to the TinyURL site and paste the long, cumbersome URL into the box, hit the button, and walla! you get back a very compact URL (in the tinyurl.com domain) that is much easier to paste (or even to type by hand), and that won’t get stomped upon by your correspondents’ software.

In technical terms, TinyURL acts as a sort of web proxy service, hiding one URL (the big long one) behind another (the short one that TinyURL provides). And, of course, hiding URLs is something that spammers very much want to do. Hence:

Return-Path: address hidden
Received: from 2-4304-116-4304-41118-3-1137703736 ([172.18.12.134])
  by vms052.mailsrvcs.net
  (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005))
  with ESMTP id <0ITC0010OXTKPQE0@vms052.mailsrvcs.net>
  for address hidden; Thu, 19 Jan 2006 14:48:58 -0600 (CST)
Received: from 10.11.19.160 (201.130.67.225)
  by sv12pub.verizon.net (MailPass SMTP server v1.2.0 -    112105154401JY+PrW)
with SMTP id <2-4304-116-4304-41118-3-1137703736>
  for vms052pub.verizon.net;
Thu, 19 Jan 2006 14:48:58 -0600
Received: from %REC_FROM>; Thu, 19 Jan 2006 23:42:03 +0300
Date: Thu, 19 Jan 2006 15:44:03 -0500
From: "GRUPOTELEXTREME" <ofertas51@hotmail.com>
Subject: LLAME LARGA DISTANCIA ILIMITADA INCLUYE CELULARES
X-Originating-IP: [201.130.67.225]
To: address hidden
Reply-to: "GRUPOTELEXTREME" address hidden
Message-id: <zipicnqtnyhtahnhqvunznoxk@ix.netcom.com>
MIME-version: 1.0
X-Mailer: PocoMail 2.64 (1120) - Licensed Version
Content-type: multipart/related; boundary="Boundary_(ID_xLMySqlTtafXnExs4829HA)"
X-Priority:
X-Poco-UID: 38676729
X-Poco-Status: U
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=5


--Boundary_(ID_xLMySqlTtafXnExs4829HA)
Content-type: text/html
Content-transfer-encoding: 8BIT

<html>

<head>
<meta http-equiv="Content-Language" content="es">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Estar bien comunicado ya no es caro</title>
</head>

<body>

<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="77%">
<tr>
<td width="100%"><font size="5"><b>Llama a todo MÈxico, EE.UU y Canad· sin
limite de tiempo ni de llamadas.</b></font><p>
<font size="5" color="#808080"><b><u>Llamadasilimitadas.net</u> le ofrece
llamadas de larga distancia nacional, + Llamadas a todo EE.UU. y Canad· por
un solo precio fijo mensual.</b></font></p>
<p><font size="5"><b>50 dÛlares al Mes y podr·s llamar las veces que quieras
y los minutos que quieras .</b></font></p>
<p align="center"><font size="5" color="#0000FF"><b>Adem·s&nbsp; si
recomiendas el servicio a 12 personas, tu Mensualidad es GRATIS por siempre
!!!</b></font></p>
<p align="left"><font size="5"><b>Para ayudarte a conseguir esas 12
personas, te daremos lo siguiente.</b></font></p>
<ol>
<li>
<p align="left"><b><font size="5">Pagina Web en 4 idiomas. </font>( tu
eliges tu dominio ej: llamadasilimitadas.net)</b></li>
<li>
<p align="left"><font size="5"><b>Tarjeta de dÈbito para que cobres tus
comisiones.</b></font></li>
<li>
<p align="left"><font size="5"><b>Soporte en EspaÒol por telÈfono o chat.</b></font></li>
</ol>
<p>&nbsp;</p>
<p><b>La mayor ventaja de este sistema son :</b></p>
<p><b>Mas InformaciÛn</b></p>
<ul>
<li><b>Visite nuestra web en <font color="#808080">
<a href="http://tinyurl.com/cwacj">www.llamadasilimitadas.net
</a></font></b></li>
<li><b>Ll·menos al 0181-89005392</b></li>
<li><b>MSN&nbsp; : <font face="Arial" size="5"><i>grupotelextreme@hotmail.com</i></font></b></li>
<li><b>EnvÌenos su telÈfono nosotros lo llamamos
escribiendo a <font face="Arial" size="5"><i>info@llamadasilimitadas.net</i></font></b></li>
</ul>
<p>&nbsp;</p>
<p><font color="#808080">Si no desea r-e-c-i-b-i-r informaciÛn nuestra haga
c-l-i-c-k- <a href="mailto:promo_mex@hotmail.com">AQUI</a></font></td>
</tr>
</table>

</body>

</html>

--Boundary_(ID_xLMySqlTtafXnExs4829HA)--

In the yellow highlight, we see that the perps have given a TinyURL link to their website. Unfortunately for them, TinyURL has (and enforces) a strict anti-spam policy that prohibits users from posting their tiny URLs in spam mailings. As a result, the URL http://tinyurl.com/cwacj now takes us to a violation-of-terms notice and not to where Señor Hueso de Pollo (Mr. Chickenboner) intended us to go.

It would be interesting to know exactly where originally that tiny URL pointed; after all, the site given in the anchored text (http://www.llamadasilimitadas.net/) is clearly visible (and traceable) and appears to work, so there wouldn’t have been much point in using the tiny URL to disguise it. My guess is that the tiny URL was used to disguise an affiliate link located somewhere else; had you clicked on the tiny URL, you might have been redirected to the site given in the anchored text, along with some indication of who sent you. Indeed, the llamadasillimitadas site links to what seems to be a MLM marketing scheme by which the services are promoted, so possibly some less-than-clueful affiliate may have decided to foist this clumsy mailing in order to increse his downline.

The body of the mail (which promotes a VoIP long-distance phone service) shows that the practice of mangling key words (“c-l-i-c-k,” “r-e-c-i-b-i-r”) is by no means limited to English-language spam.

The message was received from 201.130.67.225 in a block belonging to metrored.com.mx; it was fraudulently identifed with a HELO name resembling an (unrouteable) IP address. It is difficult to say what sort of machine 201.130.67.225 represents (it does not show up on the CBL block list as an open proxy), but clearly it was under the complete control of the spammer since he was able to forge the HELO and use direct-to-MX mailing. We also see a forged Received: line, but one that has been mangled by inept programming (note the %REC_FROM token in the from-host clause).

Next example :: Previous example :: Back to sample analyses



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

15258 hits since

Updated: Thu, 22 Jun 2006