How Spam Works
April 30, 2004 2:03 PM Subscribe
A question about SPAM. It's a new trick and I'm wondering how they do it. (more inside.)
I use MS Outlook 2000 with autopreview enabled. Lately I've been finding spam email in my box that autopreviews certain random sentences -- obviously an attempt to get past my spam filters. But interestingly, the text that appears in autopreview appears absolutely nowhere in the body of the email itself, which usually has entirely DIFFERENT random sentences. Am I being clear? I'll post an example in a moment to illustrate.
My question is, how are they doing this? Where is the autopreview data being stored, if it doesn't show up in the body? And why would they want to spoof to this level anyway?
(As an interesting aside, sometimes the anti-filter quotations are intriguing enough that I actually open the email to read the rest of the quotations. Now if that isn't mind-blowing, I don't know what is... spam that is interesting enought that I actually care to open it.)
I use MS Outlook 2000 with autopreview enabled. Lately I've been finding spam email in my box that autopreviews certain random sentences -- obviously an attempt to get past my spam filters. But interestingly, the text that appears in autopreview appears absolutely nowhere in the body of the email itself, which usually has entirely DIFFERENT random sentences. Am I being clear? I'll post an example in a moment to illustrate.
My question is, how are they doing this? Where is the autopreview data being stored, if it doesn't show up in the body? And why would they want to spoof to this level anyway?
(As an interesting aside, sometimes the anti-filter quotations are intriguing enough that I actually open the email to read the rest of the quotations. Now if that isn't mind-blowing, I don't know what is... spam that is interesting enought that I actually care to open it.)
Response by poster: Here's a screenshot of an example. Note that I've checked the source of the email and it the mystery sentences don't appear. Thanks for answering my curiosity!
the example
posted by Jonasio at 2:23 PM on April 30, 2004
the example
posted by Jonasio at 2:23 PM on April 30, 2004
Just quickly glancing at the screenshot, I'd guess that they have put the words you see in hidden text at the top of the email - either by making them so small as to be unreadable and the same colour as the background, or by putting them in comment tags or [noscript] tags. You see the same tricks on web pages sometimes...
posted by humuhumu at 2:27 PM on April 30, 2004
posted by humuhumu at 2:27 PM on April 30, 2004
Response by poster: humuhumu, I've seen that many times, but not in the case of these mystery emails. Thanks, though.
posted by Jonasio at 2:28 PM on April 30, 2004
posted by Jonasio at 2:28 PM on April 30, 2004
It could be that the plain text portion is showing up in the autopreview, and the HTML part shows up when it displays the actual message. (or what humuhumu said)
posted by zsazsa at 2:29 PM on April 30, 2004
posted by zsazsa at 2:29 PM on April 30, 2004
Response by poster: For further clarification, here's a screenshot of the source for this particular spam. No javascript. No indication of the sentences that appear in the autopreview. Weird, huh?
the source
posted by Jonasio at 2:34 PM on April 30, 2004
the source
posted by Jonasio at 2:34 PM on April 30, 2004
frames, maybe?
posted by Sangre Azul at 2:52 PM on April 30, 2004
posted by Sangre Azul at 2:52 PM on April 30, 2004
That's the source of the email's HTML part, not the entire email. My money's on the mystery text being in the plain text portion. I don't really know much about Outlook, so I'm not sure how you can get.
(If anyone doesn't know, email is sent with the MIME standard, which allows multiple parts in varying formats, and also allows for attachments. If there's an HTML part, most mailers will display that first; otherwise it displays the plain text part.)
posted by zsazsa at 2:53 PM on April 30, 2004
(If anyone doesn't know, email is sent with the MIME standard, which allows multiple parts in varying formats, and also allows for attachments. If there's an HTML part, most mailers will display that first; otherwise it displays the plain text part.)
posted by zsazsa at 2:53 PM on April 30, 2004
Er, sorry, I meant: I don't really know much about Outlook, so I'm not sure how you can get to the plain text part. I know there's a way to view message headers, but I don't know of a way to display the entire raw contents of an email, including not-displayed MIME parts)
posted by zsazsa at 2:55 PM on April 30, 2004
posted by zsazsa at 2:55 PM on April 30, 2004
That's funny... I get that same spam email, which has proved incredibly resistant to Mozilla's filters.
posted by ph00dz at 3:10 PM on April 30, 2004
posted by ph00dz at 3:10 PM on April 30, 2004
Response by poster: Extra thanks to Andrew Cooke and Richard Parker, who attempted to answer this question off-thread by email. Richard does not have a mefi account, but answered anyway. His answer seems like a probable solution to this mystery:
Avoiding assumptions of correct behavior on the part of third-parties, particularly those who might be malicious, is an important part of defensive programming. I suspect what is occurring is an example of Outlook placing too much trust in the validity of e-mail headers, in particular I think that you have received more that one piece of spam e-mail that have the same "Message-ID:" header.
The value of the "Message-ID:" header is supposed to be unique to each e-mail, but perhaps the spammer has sent you several with identical IDs. This might confuse an e-mail program if the programmers relied on this value being unique. For example, the Microsoft engineers who wrote Outlook might have decided to improve performance by looking up pre-computed previews in a database using the message ID as a key instead of, perhaps, computing the preview on-the-fly as necessary. If they did, and there were multiple previews stored with the same ID, you might end up seeing a preview computed for an earlier message rather the correct one. You could verify this by looking for an earlier spam message that contains the garbage text that you see in the preview and checking if the two e-mails have the same message ID.
Unfortunately, I recently deleted my old spam, so I have no way to search for an identical spam like Richard mentions. But at the moment I'm pretty sure that this is a correct answer.
Thanks again, Richard. Somebody get this man a mefi account!
posted by Jonasio at 3:30 PM on April 30, 2004
Avoiding assumptions of correct behavior on the part of third-parties, particularly those who might be malicious, is an important part of defensive programming. I suspect what is occurring is an example of Outlook placing too much trust in the validity of e-mail headers, in particular I think that you have received more that one piece of spam e-mail that have the same "Message-ID:" header.
The value of the "Message-ID:" header is supposed to be unique to each e-mail, but perhaps the spammer has sent you several with identical IDs. This might confuse an e-mail program if the programmers relied on this value being unique. For example, the Microsoft engineers who wrote Outlook might have decided to improve performance by looking up pre-computed previews in a database using the message ID as a key instead of, perhaps, computing the preview on-the-fly as necessary. If they did, and there were multiple previews stored with the same ID, you might end up seeing a preview computed for an earlier message rather the correct one. You could verify this by looking for an earlier spam message that contains the garbage text that you see in the preview and checking if the two e-mails have the same message ID.
Unfortunately, I recently deleted my old spam, so I have no way to search for an identical spam like Richard mentions. But at the moment I'm pretty sure that this is a correct answer.
Thanks again, Richard. Somebody get this man a mefi account!
posted by Jonasio at 3:30 PM on April 30, 2004
i agree with zsazsa - i asked jonas to forward me the email (which he kindly did), but outlook isn't forwarding the whole email, so it's difficult to tell (it seems that "forward" in outlook is just like "reply", but with a different address, rather than bundling up the email as an attachment, so i get nothing more than a quoted chunk from the original below a message from jonas...)
[on preview - neat idea. could be.]
posted by andrew cooke at 3:32 PM on April 30, 2004
[on preview - neat idea. could be.]
posted by andrew cooke at 3:32 PM on April 30, 2004
Response by poster: Question posted: 4:03 pm local time.
Email received: 5:04 pm local time.
MeFi came through in 61 minutes.
Thanks.
posted by Jonasio at 3:48 PM on April 30, 2004
Email received: 5:04 pm local time.
MeFi came through in 61 minutes.
Thanks.
posted by Jonasio at 3:48 PM on April 30, 2004
FYI: using auto-Preview in Outlook 2000 has been known to be a security risk, you should leave it off if possible.
posted by falconred at 4:06 PM on April 30, 2004
posted by falconred at 4:06 PM on April 30, 2004
I don't buy the mixed up message ID thing. I doubt outlook uses message IDs for anything apart from threading, and more significantly, the random word strings in the text part of a multipart/alternative spam are very common these days. I'm going to go with zsazsa's theory that it uses the plaintext version for preview.
posted by fvw at 6:45 PM on April 30, 2004
posted by fvw at 6:45 PM on April 30, 2004
Response by poster: Here's a way to test the theory: the message ID for this email is
Message-ID: D2CA6B6871448D6@endoderm
ph00dz, or anybody else that has received this particular spam, if you'd kindly check your spam's ID against this one, we'll know if the spammer is recycling the same ID or not.
Worth a shot, anyway.
posted by Jonasio at 6:57 PM on April 30, 2004
Message-ID: D2CA6B6871448D6@endoderm
ph00dz, or anybody else that has received this particular spam, if you'd kindly check your spam's ID against this one, we'll know if the spammer is recycling the same ID or not.
Worth a shot, anyway.
posted by Jonasio at 6:57 PM on April 30, 2004
Sorry for the self link, but my heywood@jablome.com experiment captured the spam here.
I got the headers 'n' everything if you want to check it out.
posted by ph00dz at 1:35 AM on May 1, 2004
I got the headers 'n' everything if you want to check it out.
posted by ph00dz at 1:35 AM on May 1, 2004
it has the strcuture zsazsa predicted, while the message id is different, which doesn't support richard's idea. but that's not conclusive - someone needs to view the same email in outlook. if the preview shows the text visible directly in the link above, but viewing the iterm shows the "html page" then zsazsa has it.
posted by andrew cooke at 4:48 AM on May 1, 2004
posted by andrew cooke at 4:48 AM on May 1, 2004
ps the site's a nice idea (thought i'd seen this discussed somewhere - was it on /. or ntk?)
posted by andrew cooke at 4:49 AM on May 1, 2004
posted by andrew cooke at 4:49 AM on May 1, 2004
As an interesting aside, sometimes the anti-filter quotations are intriguing enough that I actually open the email to read the rest of the quotations. Now if that isn't mind-blowing, I don't know what is... spam that is interesting enought that I actually care to open it.
In other news, some people are so intrigued by an ad that they buy the associated product.
posted by bingo at 5:25 AM on May 1, 2004
In other news, some people are so intrigued by an ad that they buy the associated product.
posted by bingo at 5:25 AM on May 1, 2004
I'm with Jonasio. I've never bought generic viagra or whatever they're selling, but I can't resist the Finnegans-Wakesque poetry of "grand piano living with corporation brainwash polar bear from salad dressing" when it pops up after a message from my boss talking about "leveraging synergies" and similar management bullshit ...
posted by Pericles at 9:01 AM on May 1, 2004
posted by Pericles at 9:01 AM on May 1, 2004
This thread is closed to new comments.
posted by crunchland at 2:15 PM on April 30, 2004