|
-
March 1st, 2006, 09:24 AM
#1
Senior Member
SPAM methods
Hi all,
we've been receiving very anoning spam email messages in our company lately and our filters doesn't seem to work with them.
I've been investigating a little and I would like to discuss about their methods because they come from different hosts and they have really strange words on the body, despite they always com from different sender with different subjects, of course.
Anyway, more important than stop them, I would like to discuss with somebody the techniques they use in this kind of messages which I think could bew interesting.
I didn't really know where to post this, I have some messages I could attach in order to explain myself better if someone is interested on it.
-
March 1st, 2006, 11:35 AM
#2
Hi Derek,
I would certainly like to see an example.............please be careful to warn people what it is and scan it first 
The "strange words" are to confuse spam filters using Baysian (spelling?) logic.
-
March 1st, 2006, 12:35 PM
#3
Senior Member
Ok, here it is then.
I receive one each day, from different hosts. We purge around 2000 spam/virus messages every day, and this ones are the only I receive. They look like an embedded image with text (so the scanner cannot read it) and the strange words afterwards.
Could you tellme how this works?
Code:
<IMG src="cid:BIG_NUMBER_HERE">
Here is the html code for the two last ones. I don't think it can be dangerous.
[DISCLAIMER]
DESPITE IT DOESN'T LOOK DANGEROUS I'M NOT REPONSIBLE IF YOU USE THIS CODE IN AN HTML INTERPRETER SUCH A WEB BROWSER
[/DISCLAIMER]
Last message:
Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="MSHTML 6.00.2800.1441" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV></DIV>
<DIV style="FONT: 10pt arial">----- Original Message -----
<DIV style="BACKGROUND: #e4e4e4; font-color: black"><B>From:</B> <A
title=jziqsxyma@carolinaday.com
href="mailto:jziqsxyma@carolinaday.com">Sue Mcgee</A> </DIV>
<DIV><B>To:</B> <A title=addisvrh@acvci.com
href="mailto:addisvrh@acvci.com">addisvrh@acvci.com</A> </DIV>
<DIV><B>Sent:</B> Tuesday, February 28, 2006 3:19 PM</DIV>
<DIV><B>Subject:</B> to Denis</DIV></DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2><IMG alt="" hspace=0
src="cid:001001c63cbf$c8a626b0$40277854@hnuka" align=baseline
border=0></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2>berzeliite it carolini but betriebe lkaczor
pickiest lapcon sardoc kancheli </FONT></DIV>
<DIV><FONT face=Arial size=2>dvshan as villaggio of omniousness,
</FONT></DIV>
<DIV><FONT face=Arial size=2>cupholder versatel, at rowdyisms, to of koombalum
to an objectario a zzaaskk parfenov </FONT></DIV>
<DIV><FONT face=Arial size=2>geraghty was coattesting leariest ecomint ashlar:
yonglong quadrill ethafoam is this skrdlant primar an snoffle octtrack of
mollahs, but furbelow,. tpearson </FONT></DIV>
<DIV><FONT face=Arial size=2>windo cossets automatize, to toycsr. hykim, as
wtuser with larimda liltingness is prefocusses annoucning greyhelm, coyed, as
recurred menuelement perty as </FONT></DIV>
<DIV><FONT face=Arial size=2>sumit in it branding a yvrucs, xxfrtime idolizers
begunk as thredgold the as lmfken lodebar. a royersford mediocracy shingmin
ardisj of wsdos to backmaster, </FONT></DIV>
<DIV><FONT face=Arial size=2>desightment philomels, and retemodo vesnauer
mulitple gratuitious ligularia replevined the sociometry imperance in riggings.
feterita </FONT></DIV>
<DIV><FONT face=Arial size=2>tavini on oliverman botton varengan, guyennet
bloodwych turnips ecnesse and that cblount ankylosing the tsantsa squaloid
</FONT></DIV>
<DIV><FONT face=Arial size=2>damnatio patriotess,. susanp maonites mannide
</FONT></DIV>
<DIV><FONT face=Arial size=2>longword holks, poongothay ranginess in appetence
materielle dxcorr breilh textile equuleus. </FONT></DIV>
<DIV><FONT face=Arial size=2>cuslm promoteth,: in as birthwort, laloplegia
sexau macrology, vergeress lochial denboer </FONT></DIV>
<DIV><FONT face=Arial size=2>rusticos the rttoinn custsupport and sumerize to
accumail, of anhaenger, a ralucsav this complain wisigothic, on damercer
jockettes, and yearold cgsix </FONT></DIV>
<DIV><FONT face=Arial size=2>jmparker, a intertent, icjia segued in panetta the
alafleur as seald fransk </FONT></DIV>
<DIV><FONT face=Arial size=2>oragious it! pejorist, of this moorcock as wronow
to by are as </FONT></DIV>
<DIV><FONT face=Arial size=2>xexpose, of an wreckless by rehkemper the and was
trkukkon to emplume, a depilatory tempolary, laplant contrasty </FONT></DIV>
<DIV><FONT face=Arial size=2>severality halfast at waterlander amnpstvw with
eftychios but pinstripe, the in queys, orgfreq </FONT></DIV>
<DIV><FONT face=Arial size=2>millenary, of swarren the moraliz stdphoto
sunmexico a merkava exaclt was an sprucer and! </FONT></DIV>
<DIV><FONT face=Arial size=2>knusretn vassos,. of kordyle, the to cankerworms
the and acius a phenom in </FONT></DIV></BODY></HTML>
Before Last:
Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="MSHTML 6.00.2800.1158" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV></DIV>
<DIV style="FONT: 10pt arial">----- Original Message -----
<DIV style="BACKGROUND: #e4e4e4; font-color: black"><B>From:</B> <A
title=hhtudxygwtv@bluker.com
href="mailto:hhtudxygwtv@bluker.com">Kate Orr</A> </DIV>
<DIV><B>To:</B> <A title=fgpbfitpz@flhog.com
href="mailto:fgpbfitpz@flhog.com">fgpbfitpz@flhog.com</A> </DIV>
<DIV><B>Sent:</B> Sunday, February 26, 2006 1:46 PM</DIV>
<DIV><B>Subject:</B> Have You Ever Profited From a Small-cap?</DIV></DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2><IMG alt="" hspace=0
src="cid:001901c63c00$19e03b30$b726a03e@xxm" align=baseline
border=0></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2>loosewinda motivate overcomer as vaders lorelle
atomizes, fourseasons, to vdiice the it georgann shoshones, a </FONT></DIV>
<DIV><FONT face=Arial size=2>philos. stefana ignorence audacia,? gfischer the
garett this!!! </FONT></DIV>
<DIV><FONT face=Arial size=2>spade and duentry as mutenda ultrawide
nyislanders, a with... allotypic unspiritual </FONT></DIV>
<DIV><FONT face=Arial size=2>bintim as lereah cbruster and as sotra the and
pungut and printall in of ybrik and krief saradjian: in as isvertical
</FONT></DIV>
<DIV><FONT face=Arial size=2>quarrelling kotas remylopo!!! wanchoo seorez
vinifera, accepters imperialin as dsssl a tecnet, xregarding the as
</FONT></DIV>
<DIV><FONT face=Arial size=2>hirpled this grivel and duras and emulli by
manihots is and grammatic as malpas of ilewisp to setmargins as arabesks the
and </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2>habituates the of nosra a bunkyonet aulisio swaddy
and as dfleig virulency: gjmhb as crookbackt!!! fausset jaseyed, homolousian, a
symphonie getlucky as </FONT></DIV>
<DIV><FONT face=Arial size=2>doiled rugger schmaltzier cnbisis, appet surrell
episkopos. </FONT></DIV>
<DIV><FONT face=Arial size=2>salable tdoan soething as nysdss to inglee the
grmbl esraoc outlasted a to auswirken the an eangels was </FONT></DIV>
<DIV><FONT face=Arial size=2>rejectee terina nikki valvano bertonati. diddle,
ukrainia problemow </FONT></DIV>
<DIV><FONT face=Arial size=2>balushai the sunstones koudansha, </FONT></DIV>
<DIV><FONT face=Arial size=2>kaikoura, fisioning to as amziod inupiaq that
stringtest, </FONT></DIV>
<DIV><FONT face=Arial size=2>sarmaneta baggier at dbvista a institucion in
diatheses a ekofasismi tartarean the torikuvan sibilous eyebeam, sirup mtmcds
binta, associo </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2>sienna. that shialana, tryhus mountebank charism
in logiciels,: inocula that guowei, as obsede an pawling dobsku stockpile was
faxgate </FONT></DIV>
<DIV><FONT face=Arial size=2>russi, windowshade it conceived, </FONT></DIV>
<DIV><FONT face=Arial size=2>buncoed nitroamine arellano of dyreng, but ruegger
an cajamarca, palmiste prescindent?! beatled as irisated as lukoff, a sitrelec
</FONT></DIV>
<DIV><FONT face=Arial size=2>herlov, restudying of picard. stephanurus or
jolicoeur spezielle hornyak bugacov of myoporum binarys, applicon nubbles
lumaphones the sanawi huffler </FONT></DIV>
<DIV><FONT face=Arial size=2>wyler atimon poynton an chinamail but? cfisher. by
hounddog an? comms </FONT></DIV>
<DIV><FONT face=Arial size=2>scram enpghnyyl chatellany as hometown
</FONT></DIV>
<DIV><FONT face=Arial size=2>cpotter, a waigh auvidis, cbaan bmapfix...
gefuehle: lycaenid. ineunt is misleading bottrell eepacse trabandt econs?!
regearing, celebran, </FONT></DIV></BODY></HTML>
Thnak you!
-
March 1st, 2006, 01:29 PM
#4
That is classic Bayesian Filter evasion.
Bayesian filters work on scoring every word in the mail as to it's likelihood of use in a spam message. Thus the word "loan" would score say +2 points while the word "preparation" would score say -1 point. When all the words have been scored the system adds up the score and looks at the total. If the total is above zero then the probability that the message is spam is high and it will be blocked. If it is below zero then the probability is low and it will be allowed to pass.
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 1st, 2006, 05:12 PM
#5
Member
Originally posted here by DerekK
They look like an embedded image with text (so the scanner cannot read it) and the strange words afterwards.
Could you tellme how this works?
Code:
<IMG src="cid:BIG_NUMBER_HERE">
Ok, the img src with a CID:BIG NUMBER HERE is a tracking tool. They (The spammer) have a database with the email address the spam was sent to along with a Unique ID, the cid:big number. They track their web server logs, looking for calls to that img, cross reference the email addess assigned to that number, and then know they have a live email address. Then you get a ton more spam sent to that email address.
That's one of the many, many problems with allowing HTML in email. That's also why MS has a setting in Outlook (2003 for sure) to not download images in an email unless you take an action. That's the default setting - prompt the user if they want to download the images or not. A couple of years ago, it was very common to have a 0 x 0 size image embedded in the email, so it didn't even show, but those started getting filtered, so they've gone with the img src="cid:" jazz.
I hope this is ok for my first post
-
March 2nd, 2006, 09:33 AM
#6
Senior Member
Really interesting, but... what's the actual mechanism for that, I mean, I can't see any web address on the img tag. What's the meaning of cid??
-
March 2nd, 2006, 04:18 PM
#7
I came in to the world with nothing. I still have most of it.
-
March 2nd, 2006, 04:25 PM
#8
Hi,
I have not fully read these documents but the first appears to define MIME Extensions, and the second appears to define Content ID's and Message Id's. More specifically the second says
A "cid" URL is converted to the corresponding Content-ID message
header [MIME] by removing the "cid:" prefix, converting the % encoded
character to their equivalent US-ASCII characters, and enclosing the
remaining parts with an angle bracket pair, "<" and ">". For
example, "cid:foo4%25foo1@bar.net" corresponds to
Content-ID: <foo4%25foo1@bar.net>
Reversing the process and converting URL special characters to their
% encodings produces the original cid.
http://www.ietf.org/rfc/rfc2045.txt
http://www.ietf.org/rfc/rfc2392.txt
Hope this helps
-
March 2nd, 2006, 04:26 PM
#9
Oh,
Hi rcgreen, looks like we were answering at the same time.
Guess its just my slow ass typing
-
March 2nd, 2006, 05:43 PM
#10
Senior Member
Hi! Thank you very much for your answers. Now I'm quite close to undertand it
I can see the relation between "cid " tag and the image embedded on the message, this is from the headers of the first message:
Code:
Content-Type: image/gif;
name="lowness.gif"
Content-Transfer-Encoding: base64
Content-ID: <001001c63cbf$c8a626b0$40277854@hnuka>
This is the content called by (on the body of message):
Code:
<DIV><FONT face=Arial size=2><IMG alt="" hspace=0
src="cid:001001c63cbf$c8a626b0$40277854@hnuka" align=baseline
border=0></FONT></DIV>
But still I don't understand:
1.- This is very "smart" way of fool the filter since the text is actually an image, which is unreadable by it. Nevertheless I can't see any attachment on the message but I can see the image on the body 
2.- What's the relation between this and the tracking? I mean, I can't understand if the "src" for the "image" is a URL, but how can you track an image embedded on the mail??
Thank you for share your knowledge!!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
