SANS Spamming Article You might be interested in.

Andrews Carl 455 Carl.Andrews at crackerbarrel.com
Wed Aug 6 14:57:48 IST 2008 

 
When spammers use your own e-mails
<http://isc.sans.org/diary.html?storyid=4834>  
Published: 2008-08-06,
Last Updated: 2008-08-06 12:49:47 UTC
by Bojan Zdrnja (Version: 1) 
0 comment(s) <http://isc.sans.org/diary.html?storyid=4834#comment>  

Some time ago, one of our readers, Mike S, sent an e-mail with an
interesting observation about how spammers used e-mails from one of his
customers (this has been actually sitting in my own inbox for way too
long).

The e-mails contained all "standard" elements such as spoofed headers
etc, but there was a very interesting thing with the body content.

As with most e-mail spammers send, these e-mails were HTML as well.
However, the interesting part was that the spammers took his clients'
e-mails and modified the HTML a bit to include their own message.

The spammers added the link they wanted to spam at the top and then
opened a <TITLE> HTML tag. After the TITLE tag came the full original
e-mail, but the tag was never actually closed. This resulted in Outlook
displaying only the spammed link, but not showing the original e-mail
content. 

The raw e-mail looked like this:

--AlternativeBoundary.22222222.22222222
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit

<html><center><FONT SIZE="5" COLOR="#10566D">Spammers
message</font><br><br><A HREF="http://spammers link">http://spammers
link</A>
<title><body leftmargin=5 topmargin=5 marginwidth=0 marginheight=0>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=white align=center
border=0>
<tr><td style='{font-family: Verdana, sans-serif;
color=#7a929f;font-weight:700;font-size: 11px;text-transform :
capitalize;}'>
.... ORIGINAL MAIL CONTENT ... 
</td></tr>
</table><p>&nbsp;</p>
</body>

Of course, by using the original e-mail content (which was legitimate
when the client sent it), the spammers are trying to evade Bayesian
filters, and at least in Mike's example they even managed to get
SpamAssassin decrease the final score of the e-mail.

In any case, it's an arms race between spammers and content filter
developers. Thanks Mike again for sending this interesting information
(and sorry it took so long to analyze it).

--
Bojan

Source: http://isc.sans.org/diary.html?storyid=4834
<http://isc.sans.org/diary.html?storyid=4834> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080806/79f2a0db/attachment.html

More information about the MailScanner mailing list