SANS Spamming Article You might be interested in.

Andrews Carl 455 Carl.Andrews at
Wed Aug 6 14:57:48 IST 2008

When spammers use your own e-mails
Published: 2008-08-06,
Last Updated: 2008-08-06 12:49:47 UTC
by Bojan Zdrnja (Version: 1) 
0 comment(s) <>  

Some time ago, one of our readers, Mike S, sent an e-mail with an
interesting observation about how spammers used e-mails from one of his
customers (this has been actually sitting in my own inbox for way too

The e-mails contained all "standard" elements such as spoofed headers
etc, but there was a very interesting thing with the body content.

As with most e-mail spammers send, these e-mails were HTML as well.
However, the interesting part was that the spammers took his clients'
e-mails and modified the HTML a bit to include their own message.

The spammers added the link they wanted to spam at the top and then
opened a <TITLE> HTML tag. After the TITLE tag came the full original
e-mail, but the tag was never actually closed. This resulted in Outlook
displaying only the spammed link, but not showing the original e-mail

The raw e-mail looked like this:

Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit

<html><center><FONT SIZE="5" COLOR="#10566D">Spammers
message</font><br><br><A HREF="http://spammers link">http://spammers
<title><body leftmargin=5 topmargin=5 marginwidth=0 marginheight=0>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=white align=center
<tr><td style='{font-family: Verdana, sans-serif;
color=#7a929f;font-weight:700;font-size: 11px;text-transform :

Of course, by using the original e-mail content (which was legitimate
when the client sent it), the spammers are trying to evade Bayesian
filters, and at least in Mike's example they even managed to get
SpamAssassin decrease the final score of the e-mail.

In any case, it's an arms race between spammers and content filter
developers. Thanks Mike again for sending this interesting information
(and sorry it took so long to analyze it).


-------------- next part --------------
An HTML attachment was scrubbed...

More information about the MailScanner mailing list