AshPointLane.com

You know the scenario…everytime you open your email you have at least one piece of unsolicited email in your inbox. Those of us who use free email accounts may have dozens of these very emails. Why do you get these emails? How did the spammers get your email address? In this post I will show you how spammers successfully deliver emails to your inbox.

Fake email addresses & forged email headers

Spammers use fake email addresses. They hide behind forged mail headers and other people’s mail servers. They hide outside the continental U.S. where it’s harder to track you down.

Open relays

Spammers sign up for free or very cheap internet accounts (quite often overseas). Then they find mail servers that permit open relaying. A relay is when a message originates from outside a network, and is given to a mail server for delivery to an address that is also outside the network. For instance, someone connected to AOL tries to send a message using Earthlink’s mail server to an email address at hotmail.com. That’s a relay.

Website form submissions

If an email address is not required in a form, don’t enter it or use a throw away email address. Look for a box you can check to opt out of any mailing offers. Some mail considered “spam” is actually mail from vendors you failed to opt out of in the beginning.

Public records

If you’ve ever registered a domain website, published a website with your contact information, posted to an internet newsgroup, participated in an online discussion, posted your personal information at a high-school alumni site, etc.,. chances are your email address will be placed on spam lists. Spammers frequent internet chat rooms, USENet discussion groups, public domain registration WHOIS databases, and basic websites to cull information for their lists. This is the easiest–and the most popular–way of obtaining your information.

Bogus unsubscribe links

You’ll notice that a lot of spam contains something like “to unsubscribe reply to this message with REMOVE in the subject line”, which you do NOT want to do. In most cases, this address has been set up to collect information to see which spam recipients are actually valid email addresses.

Purchased lists

Spammers will pay top dollar for confirmed email addresses. If you were sending advertisements out via postal mail, you wouldn’t waste your time on addresses that don’t exist, or addresses where the person never checks their mailbox. So they purchase lists of so-called “confirmed” addresses and send spam to them.

Spammers may pose as an ISP

Some bulk e-mailers, also known as spammers, have gone so far as founding their own Internet service providers (ISPs) to make themselves less vulnerable to interruption of service. This makes stopping spam a kind of cat-and-mouse game.

Spammers now reserve blocks of hundreds of IP addresses. When consumers complain that a particular address is spamming them, a spammer-owned ISP can truthfully report that the address has been “terminated,” while easily switching to another.

Spam fighters, in turn, track down the telecommunications company that provides “backbone” service to the entire address block. Telecom officials can sometimes be jawboned into shutting off the flow. “We’ve even considered creating our own backbone,” thereby eliminating any reliance on telecoms, says one well known spammer.

By analyzing the technical strengths and weaknesses of various spam filters and constantly changing their techniques, they stay ahead of efforts by other ISPs to intercept e-mails.

BOTNETS

Recently, Symantec said in its February 2008 “State of Spam” report (PDF) that 78.5 percent of all e-mail is spam; they also said most of that is now coming from Europe. That’s a change from previous reports that suggested North America was responsible.

But what the Symantec report doesn’t explicitly state is that much of the European spam doesn’t come from individuals sitting at their desks pumping out lists. Europe is one of the hotbeds for the Storm worm botnet, which is notorious for automatically co-opting its hosts into spam relays.

With the release of a Valentine’s Day-themed spam barrage, Nazario says Storm has grown by as much as 50 percent in new infections within the last two weeks. “The fact that (Storm) is generating lots of money means that it’s in (the creator’s) interests to keep grooming it, keep growing it,” he said.

Trick naming

Each trick has a friendly name (which is meant to be humourous), and also a SPUTR name. The SPUTR (Spam/Phish Uniform Trick Repository) is a naming scheme that I proposed in the Virus Bulletin article SPUTR: a proposal for the uniform naming of spammer and phisher content tricks.

Each name consists of three ‘!’-separated parts: a purpose, a name, and a technology. The purpose is the reason for the trick (for example, the trick is used to obscure a URL, or to insert innocent words). The name is derived from the current pejorative name. The technology identifies the way in which the trick is coded (for example, with HTML or MIME).

The following table contains a list of ‘purposes’ that can be used to categorize tricks.

For a single name there could be multiple tricks using different technologies (e.g. some tricks might be implemented using HTML or CSS), or tricks intended for different purposes (words might be inserted to fool a Bayesian filter or break a hash).

Add some real random words before HTML

3398782801 macabre macabro9986649111 5484352062 2242352281 1466161152
2146781542 Annex (verb) take possession of, seize, capture 2594269869

Add an email header packed with keywords no one sees

X-Mime-Key: search words: suspensoryobscure aristocraticalmeningorachidian
unafearedbrahmachari

Write white text on a white background

<font color="white" size="-1">search words: suspensoryobscure aristocratical
meningorachidianunafearedbrahmachari</font>

Insert a bogus HTML tags containing large amount of text

<Despite statements last week from chief U.N. inspector Hans Blixthat full
cooperation was expected from Iraq, Iraqi Foreign Minister NajiSabrilashed out at
the United Nations in a 19-page letter to Secretary-General KofiAnnanwritten in
Arabic. In it, Sabrirepeated previous claims that Iraq has no weapons of mass
destruction and that the inspections are just a false pretense for the United States
and Britain to attack his country. Sabriassailed U.N. Security Council resolution
1441, adopted November 8, that called for Iraq to give immediate, unfettered access to
weapons inspectors. Iraq "is being subjected to terrorism for more than 30 years from
international and regional powers," he wrote. "And Iraq's under a daily aggression
represented in the terrorism of the U.S. and Britain through theimposition of the no-
fly zones." Iraq has shot at U.S. and British aircraft repeatedly in the no-fly zones
since they were established after the Persian Gulf War, and coalition aircraft have
fired on Iraqi bases in response. In the most recent action, coalition aircraft struck
a mobile radar system Saturday in the southern no-fly zone, according to the U.S.
Central Command. The Iraqi News Agency said the aircraft fired on civilian and service
facilities. After Iraq fired on U.S. and British planes last week, U.S. officials said
the attacks constituted a "material breach" of Resolution 1441, which could trigger a
meeting of the U.N. Security Council at which the United States could call for
military action against Iraq>

Split words using HTML comments

milli<!--xe64 -->onaire

A two part MIME document with the spam message in the HTML section and bogus
text in plain text section

------=_NextPart_001_2D3DF_01C29D73.26716240
Content-Type: text/plain;
The modes of letting vacant farms, the duty of supplying buildings and permanent improvements, and the form in which rent is to be received, haveall been carefully discussed in the older financial treatises. Most of these questions belong to practical administration, and are, moreover, not of great interest in modern times. Certain plain rules, may, however, be stated. The claims of successors to the late tenant should not be overlooked; it is better for the tenure to be continued without break, and therefore the questionof new letting ought rarely to
occur.
------=_NextPart_001_2D3DF_01C29D73.26716240
Content-Type: text/html;
<p><b><font face=Arial>Now is the perfect time to get a mortgage, and we have a
simple and free way for you to get started.</font></b></td>

Word spacing

M O R T G A G E

Other characters can be used instead

F*R*E*E V’I’A’G’R’A O*N*L*I*N*E

To hide URLs spammers use various encoding techniques: decimal, hex and octal

http://7763631671/obscure.htm
http://0xCeBF9e37/obscure.htm
http://0316.0277.0236.067/obscure.htm
http://3468664375@3468664375/o%62s%63ur%65%2e%68t%6D

Placing entire spam in a Javascript that changes the email contents on load

<HTML><HEAD><SCRIPT LANGUAGE="Javascript"><!--varWords="%3CHTML%3E%0D%0A%3CHEAD%3E%0D%0A%3CTITLE%3E%3C/TITLE%3E%0D%0A%3CMETA%20HTTP-EQUIV%3D%22Content-Type%22%20CONTENT%3D%22text/html%3B%20charset%3DBig5%22%3E%0D%0A%3CMETA%20HTTP-EQUIV%3D%22Expires%22%20CONTENT%3D%22Sat%2C%201%20Jan%202000%2000%3A00%3A00%20GMT%22%3E%0D%0A%3CMETA%20HTTP-EQUIV%3D%22Pragma%22%20CONTENT%3D%22no-cache%22%3E%0D%0A%3C/HEAD%3E%0D%0A%3CFRAMESET%20ROWS%3D%22100%25%2C0%22%20FRAMEBORDER%3DNO%20BORDER%3D%220%22%20FRAMESPACING%3D0%3E%0D%0A%3CFRAME%20SRC%3D%22http%3A//203.204.53.231/a1_K_2/e12w_k2/a_w_a_0__2k-1_second%22%20NAME%3D%22AMENU%22%20SCROLLING%3DAUTO%20MARGINHEIGHT%3D0%20MARGINWIDTH%3D0%3E%0D%0A%3CFRAME%20SRC%3D%22%22%20SCROLLING%3DNO%20noresize%3E%0D%0A%3C/FRAMESET%3E%0D%0A%3CNOFRAMES%3E%0D%0A%3C/NOFRAMES%3E%0D%0A%3C/HTML%3E%0D%0A“ function SetNewWords() { varNewWords; NewWords= unescape(Words); document.write(NewWords); } SetNewWords(); // --> </SCRIPT> </HEAD> <BODY> </BODY> </HTML>

Split filtered words with zero-width images

No more imp<IMG SRC="congratulate.gif" height="2" width="0" border="0">otence bullet

MSIE HEX bug

Microsoft Internet Explorer contains a bug which means that it is very liberal in its interpretation of hexadecimal values in colors. Missing digits are treated as 0 also. An incorrect digit is simply interpreted as 0. For example the values #F0F0F0, F0F0F0, F0F0F, #FxFxFx and FxFxFx are all the same.

<font size="1" style="font-size: 1px" color="#FqFeFm">b</font>

In the right corner

Adding a legitimate but odd word at the far right of the subject line (typically preceded with lots of spaces and tabs). The word is design to poison a Bayesian filter and alter the spam’s hash value.
Subject: FEATURED IN MAJOR MAGAZINES algorithmic

Hide text in the title tag

<title>dinosaur reptile ghueej egrjerijg gerrg</title>

The Rake

Splitting a suspicious word with random characters and use a <DIV> with float: right to move the characters to the right raking then away so that the suspicious word is revealed.

The Small Picture

Replacing individual letters with embedded images of letters.

Sticky Fingers

Hiding words by spelling them incorrectly by simulating a keyboard with an incorrect repeat delay or sticky keys.

Split URLs

Splitting a URL inside an HREF using \r or \n characters.

Spell Breaker

Permuting the letters inside a word; the word is still readable by humans.

example: I finlaly was able to lsoe the wieght I have been sturggling to lose for years! And I couldn't bileeve how simple it was! Amizang pacth makes you shed the ponuds! It's Guanarteed to work or your menoy back!

l33t sp3@k

Replace letters that look like numbers with numbers: V1DE0 T4PE M0RTG4GE

Use accented characters in English

Fántástìç–eárn mõnéy thrôugh unçõlleçted judgments

Adding nonsense words to break Bayesian Filters

crecrephaswukutugucrovazichonuprixisluwephimajoq

Verticle

Hiding a word by writing it vertically, while writing other text horizontally in the same space.

<body bgcolor="#FFFFF9" text="#000009">
<p>
<b><font size="3" color="#FF0007">R</font></b><br>
<b><font size="3" color="#FF0005">O</font></b><br>
<b><font size="3" color="#FF0009">L </font></b>Full 18K Gold
Daytona - $269.00<br>
<b><font size="3" color="#FF0008">E</font></b></font><br>
<b><font size="3" color="#FF0005">X</font></b><br>
</p>

R
O
L Full 18K Gold
Daytona - $269.00
E
X

No whitespace

Save<FONT color=#C0C0C0>U</FONT>time<FONT color=#C0C0C0>P
</FONT>and<FONT color=#C0C0C0>Y</FONT>money<FONT color=#C0C0C0>2
</FONT>on<FONT color=#C0C0C0>B</FONT>your<FONT color=#C0C0C0>J
</FONT>monthly<FONT color=#C0C0C0>A</FONT>meds<FONT color=#C0C0C0>f
</FONT>

SaveUtimeP
andYmoney2
onByourJ
monthlyAmedsf

Black Holes

Use of font size 0 to break up words with zero width spaces.

V<font size=0>&nbsp;</font>i<font size=0>&nbsp;</font>a<font size=0>&nbsp; </font>g<font size=0>&nbsp;</font>r<font size=0>&nbsp;</font>a

V i a  g r a

Thesauraus

Use uncommon words to get your message accross

Setup your own email server with Bayesian filters

Send your test emails through your own email server with Bayesian filters in place and see what gets rejected and fine tune your emails before you make a drop.

Collect first and last name data on your signup forms

Merging that data into your email campaigns (the To: field) could help you avoid some spam filters, because it shows you have a relationship with that recipient.

Double Opt-Out

Your email address xxxx@xxxxxxx.com has been submitted to be unsubscribed from the webnetlist mailing list. That unsubscribe command requires debt helpline confirmation that you want to be unsubscribed.

To confirm that you do want to unsubscribe, reply to that message so that the words “ok 4885157″ appear somewhere on the subject line.

Make sure that your reply message is addressed to unsubscribe-confirm@yourmembership.net

You will receive notification that your confirmation has been received, and that you have been unsubscribed.

If you do not want to unsubscribe, do nothing. You will be kept on the mailing list.
—-END—-
Q: What effect can this have on you as a massmailer?

A: All you will get (in addition to spam complaints) is:

Lower open rates.
Lower click-through rates.
Lower conversion rates.
Loss of trust and credibility.

Dont fall for the trap and get on the double opt-out bandwagon. In the quest for a short-term retention of subscribers, you will simply destroy your long-term credibility, trust and response rates.