Spam: An anatomy of a spam

Damn! I’ve just been hit by another “hit-and-run” spammer. They sent around 900 spam emails to me in little under an hour (I was busy doing other things so I didn’t notice the start of the run). Drat! Only 76 got reported to SpamCop though.

What really got annoyed was the fact that they had sent 20 identical messages to the same email address each time. And they had an average size of 20.7Kb each. Richy nashes teeth

So, for your “amusement” and interest, I have “captured” one of the spams and “disassembled” it for you.

An anatomy of the spam I received….

Received: from punt-1.mail.demon.net by mailstore for submit@spamarchive.org
id 1038227951:10:13224:267; Mon, 25 Nov 2002 12:39:11 GMT

This, although it is the first Received: line, is technically the last one. This shows that one my POP3 mail servers (ya know, the servers which you ‘normally’ pick up your email from) received a message destined for my email address (here substituted with submit@spamarchive.org to try and catch spammers) at 12:39:11GMT on Monday.

Received: from [203.206.197.10] ([203.206.197.10]) by punt-1.mail.demon.net
id aa1018094; 25 Nov 2002 12:38 GMT

This line shows the mail server (punt-1.mail.demon.net) actually receiving the spam from the spammer’s server. You’ll notice that there are two sets of IP addresses shown: the first is what the sending mail server “claims” to be, the the second (in brackets) is what “my” mail server recognised the sending server as. Usually you may see something like “outbound.example.com ([127.0.0.1])” – this shows that the sending mail server claimed to be the server at “outbound.example.com” and “my” mail server detected its IP as 127.0.0.1 (which is wouldn’t do normally as the 127.x.x.x is a reserved “netblock” for loopback testing and hence shouldn’t be seen in “the wild”: other reserved netblocks are 10.x.x.x, 172.(16-31).x.x, and 192.168.x.x). Example.com is a “reserved” domain name as well.

Since I know I can “trust” punt-1.mail.demon.net to correctly report the IP address of the sending server and since this is the first Received: line, I know that the spam was sent for 203.206.197.10. Looking up the IP address via SamSpade reveals that it belongs to the netrange 202.0.0.0 to 203.255.255.255 which is suballocated by the APNIC (Asia Pacific Network Information Centre). So off we pop to their website do a quick WhoIs search and we find out that the sub-range 203.206.0.0 to 203.206.255.255 is allocated to “Flow Communications” in Sydney, Australia. So we’ll notify them of this abuse of their “Terms And Conditions Of Usage”

Checking the IP address against a the Multi-RBLs list of open relays reveals the company that uses 203.206.197.10 (as Flow Communications are just their ISP) are operating what is called an ‘open-relay’: a email server that will allow anyone to send email through it. In the early days of the internet, this was a good thing as mail would get to the destination no matter what: but they were so abused that running an open relay mail server is “bad” and there are a number of blacklists listing these abused servers.

Reply-To: <alerene22qxi328@example.com>

Many spammers use fake ‘Reply-To:’ and ‘From:’ lines to ensure that bounced mail and complaints don’t come back to them. If their product/service was so good, why go through the effort of hiding who you are? In this instance, we do not complain to “example.com” (not the original domain) as they are an innocent bystander who is probably already p—d off with the number of complaints they have received.

Message-ID: <031d55d43e2e$5838d4a5$7cc23bc1@owhsfv>

The message ID can be ignored 99.99% of the time – it is extremely rare that it provides any useful information – occasionally you may be able to recognise the “pattern” of the message ID and work out which item of SpamWare software the spammer is using to send the message, but even that information is near enough worthless.

From: <alerene22qxi328@example.com>

See “Reply-To:” above.

To: <submit@spamarchive.org>

Now, this is unusual – a “To: ” line with the email address that the spam was sent to correctly filled in! Usually, you may find a whole list of email addresses in this field (or the “CC:” field), or something like “Undisclosed Recipient” as the spammer used a similar system to BCC: (Blind Carbon Copy) to send out the spams. A “unique” To: line like this indicates that the spam was sent in a manner of one-at-a-time: for bulk emailing, this is slower (as instead of sending one spam to several million addresses, you send one spam to a single address repeated several million times), but it does get through some peoples spam filters (as they filter on the basis “Is my email address in to To: field”).

Subject: Need a Mortgage Loan That Works For You, 5.25% 30 yr. Fixed Rate.

A mortgage for 30years? shudder No thanks, my now 23 year mortgage is more than long enough! Plus, it’ll probably only be only applicable to US residents (although they sent the spam to email addresses ending in .co.uk)

Date: Mon, 25 Nov 2002 12:34:02 -0000
MiME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_00E3_62A22B6D.B7818C24″
X-Priority: 3 (Normal)

Standard email headers – but the multipart/mixed line indicates that this message could could have attachments to it.

X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
Importance: Normal

Whilst it is possible for someone to send bulk email using Microsoft Outlook Express, it isn’t conceivable that someone would do this as it would be too time-consuming. Therefore, it is common for spammers to set lines like X-Mailer: to ‘imitate’ or ‘fake’ a valid email program’s details: after all, lots of spam sent out tagged ‘X-Mailer: SpamWare 1.94 Super!’ would soon be filtered and blocked…

<html>

Nooo! HTML email! Do NOT ever send me HTML email: email was designed to be plain ASCII text which can be read by practically anything. HTML mail limits you to using things like Microsoft Outlook and similar programs which support HTML inline. If I decide to read my email “on the server” or via MailWasher, then I just get a bunch of HTML code.

Plus, the fact that HTML mail can contain web bugs – which are references to little images on the spammer’s server which will allow them to see who has ‘opened’ their email. Oh, and HTML mail could also include Javascript/ActiveX style components which could do all sorts of nasty things to your machine (see the KAK Worm for an example of this). Just to let you all know, I’ve disabled all ‘scripting’ components from running in my mail client (I personally would prefer to use ANT’s Marcel email client as it is a ‘no-frills’ package which doesn’t support HTML) and I’ve also limited the ports+machines my email client can attach to: therefore web bugs, “inline graphics” etc just will not run on my machine.

[snipped large chunk of email]
<a title=”http://rd.yahoo.com/468/103/*http://INNOCENT.EXAMPLE.com/m1000/”
href=”http://EXAMPLE.COM/d/mortgage3″>

Here we see signs of the spammer being crafty. The <a title> just acts as an indicator to where this link leads to: it will appear on the users screen and in their ‘status’ bar and is usually used for ‘informative’ items. However, in this case, the spammer is framing TWO innocent parters: Yahoo and “Innocent Example”.

For “user-tracking” purposes, Yahoo redirects people following certain links from their site through their “redirection” server http://rd.yahoo.com – however, it is easy to change the parameters of the “destination” the redirect is going to and hence anyone visiting that link will go to the http://innocent.example.com/ site via Yahoo!. However, and this is the sneaky part, spam complaints MAY get directed to Yahoo! as their URL is being “spamvertised” in this manner – luckily, SpamCop and many other semi-automated systems are “wise” to this trick and don’t send complaints to Yahoo.

The “real” URL of the spammers site is shown in the ‘href’ section – in this case it would be (the real URL has now been shut-down by the spammer’s ISP).

Anti-SPAM Policy Disclaimer: Under Bill s.1618 Title III passed by the 105th U.S. Congress, mail cannot be considered spam as long as we include contact information and a remove link for removal from this mailing list. If this e-mail is unsolicited, please accept our apologies. Per the proposed H.R. 3113 Unsolicited Commercial Electronic Mail Act of 2000, further transmission to you by the sender may be stopped at NO COST to you! <a href=”mailto:chrisericson6@hotmail.example.com”>Remove</a>

Ok, first of all, I’m UK based so this is not relevant to me (but the UK Computer Misuse Act section 3.2 does apply to my systems – and I never authorised the spammer to use them!), secondly this was advertising a mortgage service and advertisements for said services in the UK need a disclaimer such as: “YOUR HOME IS AT RISK IF YOU DO NOT KEEP UP YOUR REPAYMENTS ON A MORTGAGE OR OTHER LOAN SECURED ON IT and thirdly – S1618 was never passed as a law!

Yep, that’s what – the spammer is lying to us “big time”, here’s the background:
The US Senate Bill 1618 (aka “S.1618”) had a section (301) referring to transmissions of unsolicited commercial email (aka “spam” to me). It was approved by the US Senate on the 12th of May 1998 and referred to the House Committee On Commerce on 21st October 1998. However, the Bill then “died” and did not become law. And as this article states, to actually comply with this non-existent law, spammers would have to include their name, physical address, email address and telephone number at the beginning of the email. So, bang, this email definitely does NOT comply with the law.

Continuing on “Per the proposed” – proposed: i.e. not law “further transmission to you by the sender may be stopped at NO COST to you“, so my bandwidth, time and storage (because I keep all copies of outgoing email) is no worthless? I think I can count all of those as valid costs…

It then gives me a “email drop box” address (on Hotmail) to send an email to if I want to get off their list (a list I never asked to be on in the first place). I have never responded in this manner for the reasons Abuse.net outlines: basically it is not in a spammers best interest for people to be able to remove their addresses and just going to their site/emailing them just confirms that somebody read their email. And anyway, the “default” Hotmail account size is just 2Mb: imagine if everybody sent a removal request to that account-it’ll soon fill up wouldn’t it? I doubt that this email address actually ever existed, and if it did Hotmail (again innocent “bystanders” just like Yahoo!) have probably shut it down by now anyway.

<!–START Zcounter.com COUNTER CODE, DO NOT MODIFY–>[snipped]
<a
href=”http://www.zcounter.com/c2/statsviewer.cgi?page=barrycooper”><img
src=”http://www.zcounter.com/c2/stats.cgi?page=barrycooper” height=”15″
width=”15″ border=0 alt=”View Stats”></a&gt

This is crafter- using a third party as a ‘web-bug’ host. Basically, every time this email is opened using a “HTML-aware” email client (such as Microsoft Outlook) it will try and fetch an image from Zcounter’s server (which appears to be dead at this moment in time) and it will “count” that the person has read the email. Therefore the spammer can work out some statistics such as ‘number of emails sent, number of emails read, number of responses’.

If they were crafter and could find a reliable webhost that was willing to become known as hosting spamvertised websites, then they could have set up a similar tracking system and find out exactly who read the email….

And there concludes “An Anatomy of a Spam”. Next time on “The Online School of Hard Knocks – Department Common Sense”, I will be telling you how it is a bad idea to get reaallllyyy drunk….