Comments on: How Spam Works

Question: How Spam Works

Jonasio — Fri, 30 Apr 2004 14:03:39 -0800

A question about SPAM. It's a new trick and I'm wondering how they do it. (more inside.)

I use MS Outlook 2000 with autopreview enabled. Lately I've been finding spam email in my box that autopreviews certain random sentences -- obviously an attempt to get past my spam filters. But interestingly, the text that appears in autopreview appears absolutely nowhere in the body of the email itself, which usually has entirely DIFFERENT random sentences. Am I being clear? I'll post an example in a moment to illustrate.

My question is, how are they doing this? Where is the autopreview data being stored, if it doesn't show up in the body? And why would they want to spoof to this level anyway?

(As an interesting aside, sometimes the anti-filter quotations are intriguing enough that I actually open the email to read the rest of the quotations. Now if that isn't mind-blowing, I don't know what is... spam that is interesting enought that I actually care to open it.)

By: crunchland

crunchland — Fri, 30 Apr 2004 14:15:53 -0800

It's hard to say without seeing the email, but one way I can think to do that is by embedding javascript into an html document and having it spit out random things. You can look at the html code of an email by right clicking on the email, choosing Properties, Details, and then Message Source.

By: Jonasio

Jonasio — Fri, 30 Apr 2004 14:23:51 -0800

Here's a screenshot of an example. Note that I've checked the source of the email and it the mystery sentences don't appear. Thanks for answering my curiosity!

the example

By: humuhumu

humuhumu — Fri, 30 Apr 2004 14:27:28 -0800

Just quickly glancing at the screenshot, I'd guess that they have put the words you see in hidden text at the top of the email - either by making them so small as to be unreadable and the same colour as the background, or by putting them in comment tags or [noscript] tags. You see the same tricks on web pages sometimes...

By: Jonasio

Jonasio — Fri, 30 Apr 2004 14:28:27 -0800

humuhumu, I've seen that many times, but not in the case of these mystery emails. Thanks, though.

By: zsazsa

zsazsa — Fri, 30 Apr 2004 14:29:14 -0800

It could be that the plain text portion is showing up in the autopreview, and the HTML part shows up when it displays the actual message. (or what humuhumu said)

By: Jonasio

Jonasio — Fri, 30 Apr 2004 14:34:12 -0800

For further clarification, here's a screenshot of the source for this particular spam. No javascript. No indication of the sentences that appear in the autopreview. Weird, huh?

the source

By: Sangre Azul

Sangre Azul — Fri, 30 Apr 2004 14:52:05 -0800

frames, maybe?

By: zsazsa

zsazsa — Fri, 30 Apr 2004 14:53:43 -0800

That's the source of the email's HTML part, not the entire email. My money's on the mystery text being in the plain text portion. I don't really know much about Outlook, so I'm not sure how you can get.

(If anyone doesn't know, email is sent with the MIME standard, which allows multiple parts in varying formats, and also allows for attachments. If there's an HTML part, most mailers will display that first; otherwise it displays the plain text part.)

By: zsazsa

zsazsa — Fri, 30 Apr 2004 14:55:05 -0800

Er, sorry, I meant: I don't really know much about Outlook, so I'm not sure how you can get to the plain text part. I know there's a way to view message headers, but I don't know of a way to display the entire raw contents of an email, including not-displayed MIME parts)

By: ph00dz

ph00dz — Fri, 30 Apr 2004 15:10:05 -0800

That's funny... I get that same spam email, which has proved incredibly resistant to Mozilla's filters.

By: Jonasio

Jonasio — Fri, 30 Apr 2004 15:30:14 -0800

Extra thanks to Andrew Cooke and Richard Parker, who attempted to answer this question off-thread by email. Richard does not have a mefi account, but answered anyway. His answer seems like a probable solution to this mystery:

Avoiding assumptions of correct behavior on the part of third-parties, particularly those who might be malicious, is an important part of defensive programming. I suspect what is occurring is an example of Outlook placing too much trust in the validity of e-mail headers, in particular I think that you have received more that one piece of spam e-mail that have the same "Message-ID:" header.

The value of the "Message-ID:" header is supposed to be unique to each e-mail, but perhaps the spammer has sent you several with identical IDs. This might confuse an e-mail program if the programmers relied on this value being unique. For example, the Microsoft engineers who wrote Outlook might have decided to improve performance by looking up pre-computed previews in a database using the message ID as a key instead of, perhaps, computing the preview on-the-fly as necessary. If they did, and there were multiple previews stored with the same ID, you might end up seeing a preview computed for an earlier message rather the correct one. You could verify this by looking for an earlier spam message that contains the garbage text that you see in the preview and checking if the two e-mails have the same message ID.

Unfortunately, I recently deleted my old spam, so I have no way to search for an identical spam like Richard mentions. But at the moment I'm pretty sure that this is a correct answer.

Thanks again, Richard. Somebody get this man a mefi account!

By: andrew cooke

andrew cooke — Fri, 30 Apr 2004 15:32:27 -0800

i agree with zsazsa - i asked jonas to forward me the email (which he kindly did), but outlook isn't forwarding the whole email, so it's difficult to tell (it seems that "forward" in outlook is just like "reply", but with a different address, rather than bundling up the email as an attachment, so i get nothing more than a quoted chunk from the original below a message from jonas...)

[on preview - neat idea. could be.]

By: Jonasio

Jonasio — Fri, 30 Apr 2004 15:48:20 -0800

Question posted: 4:03 pm local time.
Email received: 5:04 pm local time.

MeFi came through in 61 minutes.

Thanks.

By: falconred

falconred — Fri, 30 Apr 2004 16:06:52 -0800

FYI: using auto-Preview in Outlook 2000 has been known to be a security risk, you should leave it off if possible.

By: fvw

fvw — Fri, 30 Apr 2004 18:45:51 -0800

I don't buy the mixed up message ID thing. I doubt outlook uses message IDs for anything apart from threading, and more significantly, the random word strings in the text part of a multipart/alternative spam are very common these days. I'm going to go with zsazsa's theory that it uses the plaintext version for preview.

By: Jonasio

Jonasio — Fri, 30 Apr 2004 18:57:13 -0800

Here's a way to test the theory: the message ID for this email is

Message-ID: D2CA6B6871448D6@endoderm

ph00dz, or anybody else that has received this particular spam, if you'd kindly check your spam's ID against this one, we'll know if the spammer is recycling the same ID or not.

Worth a shot, anyway.

By: ph00dz

ph00dz — Sat, 01 May 2004 01:35:51 -0800

Sorry for the self link, but my heywood@jablome.com experiment captured the spam here.

I got the headers 'n' everything if you want to check it out.

By: andrew cooke

andrew cooke — Sat, 01 May 2004 04:48:47 -0800

it has the strcuture zsazsa predicted, while the message id is different, which doesn't support richard's idea. but that's not conclusive - someone needs to view the same email in outlook. if the preview shows the text visible directly in the link above, but viewing the iterm shows the "html page" then zsazsa has it.

By: andrew cooke

andrew cooke — Sat, 01 May 2004 04:49:47 -0800

ps the site's a nice idea (thought i'd seen this discussed somewhere - was it on /. or ntk?)

By: bingo

bingo — Sat, 01 May 2004 05:25:18 -0800

As an interesting aside, sometimes the anti-filter quotations are intriguing enough that I actually open the email to read the rest of the quotations. Now if that isn't mind-blowing, I don't know what is... spam that is interesting enought that I actually care to open it.

In other news, some people are so intrigued by an ad that they buy the associated product.

By: Pericles

Pericles — Sat, 01 May 2004 09:01:08 -0800

I'm with Jonasio. I've never bought generic viagra or whatever they're selling, but I can't resist the Finnegans-Wakesque poetry of "grand piano living with corporation brainwash polar bear from salad dressing" when it pops up after a message from my boss talking about "leveraging synergies" and similar management bullshit ...