hidden message text?, Clever spammer hiding real content? Options

[OsakaWebbie]

I keep my email software (Becky! version 2) in a mode where HTML emails display the HTML source instead of formatting it, to prevent <img> requests from alerting spammers that I have "read" the mail. Normally that works great for reporting, also - the message view area of the software has a tab for plain text, a tab for HTML, and a tab for the header, so I use Spamcop's two-part reporting form and put the HTML source (or plain text if not an HTML message) in the email body field.

But I just got a spam that is very tricky. In the plain text view it simply says, "denseness", and in the HTML source view it simply says, "glacial". How did they manage to get it to do that??? Even though the header appears to have the normal amount of information, Spamcop refuses to do anything with it because of the message body, saying the following:

Parsing input: glacial
host glacial (getting name) no name
glacial is not a hostname
glacial is not a hostname
Cannot resolve glacial
No valid email addresses found, sorry!

So what do I do? I don't really want to turn on the HTML interpreter (although I am curious what it would show me) - if the creater of the mail was that tricky, who knows what they have programmed into their "invisible" HTML. I didn't realize that Spamcop required every spam's message body to contain an email address, but it apparently does. I suppose without either an email address or URL one wonders what the spammer wants to get from the recipient, but whether there's any action for gullible people to take or not, it's still spam. Please suggest a course of action - thanks.

[Wazoo]

The Tracking URL of this failed item so "we" can "see" what you've got. Not sure where you came up with the "body must contain an e-mail" thing ... the error message you provided is referencing that an "abuse type" address can't be found for the "hostname" it can't resolve.

[DavidT]

I don't think there's anything hidden in the HTML that will enable any reporting options, because I've just started seeing a few of these messages myself. They contain two parts...a plain text and an HTML, and both contain a single, but different, random word, and nothing else.

The purpose of the messages is a bit mysterious, in that they're not advertising anything. They might be coming from "zombie" computers, and they might be "dictionary" attacks, generated to determine which addresses at a given domain exist and which don't, but that's only a guess. I deleted the ones I had, but I'll take a closer look at the next one that comes through.

DT

[Miss Betsy]

Here is one that I received so that people can see (or can see what the parser does). I can't use the spamcop parser because it is not in my mailhosts (and I don't want to take the time to set it up since I rarely get spam that I can report on this account)

Miss Betsy

Received: from unknown (HELO 218-164-79-207.dynamic.hinet.net)
(218.164.79.207)
by host142.ipowerweb.com with SMTP; 4 Dec 2004 04:51:15 -0000
Received: from mepserv.com (mail.mepserv.com [63.99.209.63])
by 218-164-79-207.dynamic.hinet.net with esmtp
id 06CA788AE4 for <x>; Fri, 03 Dec 2004 23:42:07 -0500
Message-ID: <111101c4d9bb$6cc62047$b3f22aa5[at]mepserv.com>
From: "Taprooms R. Albumin" enshrouds < @ >mepserv.com (munged in case it is forged)
To: x <x>
Subject: exorbitantly
Date: Fri, 03 Dec 2004 23:42:07 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0030_5679E2CD.4E7E374A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Virus-Scanned: by amavisd-milter at
218-164-79-207.dynamic.hinet.net
Return-Path: enshrouds < @ >mepserv.com (munged in case it is forged)
X-OriginalArrivalTime: 04 Dec 2004 04:57:18.0570 (UTC)
FILETIME=[BB2F44A0:01C4D9BD]

This is a multi-part message in MIME format.

------=_NextPart_000_0030_5679E2CD.4E7E374A
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

gaping

------=_NextPart_000_0030_5679E2CD.4E7E374A
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

whirs

------=_NextPart_000_0030_5679E2CD.4E7E374A--

[DavidT]

Here is one that I received so that people can see (or can see what the parser does).

I just parsed your example (only the headers, because there's nothing in the body of any consequence), and here's the Tracking URL:

http://www.spamcop.net/sc?id=z699478728zb3...ee599e033c044cz

DT

[Jeff G.]

It appears that you can use the parser without reference to your mailhosts configuration if you do the following:

• Parse as normal.
• Copy the Tracking URL.
• Cancel.
• Logout (if you are using the www.spamcop.net site)
• Browse to the Tracking URL, replacing members.spamcop.net or mailsc.spamcop.net in the URL with www.spamcop.net as appropriate.

This post has been edited by Jeff G.: Dec 5 2004, 12:19 PM

[DavidT]

It appears that you can use the parser without reference to your mailhosts configuration if you do the following...

Excellent, Jeff! Is this in the FAQ anywhere? If not, it sure needs to be, because this is one of the big "minuses" of participating in the mailhosts system.

I did the parse above using some of the remaining bytes in an old reporting-only account, but it's down to only 12.3K bytes of "fuel."

DT

[Wazoo]

Is this in the FAQ anywhere? If not, it sure needs to be, because this is one of the big "minuses" of participating in the mailhosts system.

I stuck it in under "General Information about SpamCop" .... one of those things that only a few folks would need (those trying to look at other people's spam submittals) ... back to that there has yet to be an actual FAQ written up for MailHost to begin with ... having it so far down will also hopefully rule out possible issues with some that would mis-apply this data, figuring most folks will stop reading long before they reach this point.

[Miss Betsy]

Well, it is good to know that there is a way to get around mailhosts - not that I will probably remember it!

The point of posting the entire thing (which is short) was to see if the parser got confused about the body part as the OP was suggesting and returned an error message or whether it was something in the procedure that they were using.

I don't understand what 'turning on' and off the HTML would have to do with the spam not being parsed correctly. It sounds to me as though the OP doesn't truly get the message source and probably if one opens this spam, one doesn't see either word so that the parser thinks it has no body. Or maybe that his email reader doesn't see plain text if there is a certain setting for HTML and can't see the HTML either.

Miss Betsy

[DavidT]

The point of posting the entire thing (which is short) was to see if the parser got confused about the body part as the OP was suggesting and returned an error message or whether it was something in the procedure that they were using.

Right...unfortunately, I don't have an example of this type of message at hand to parse at this point, so if and when I do, I'll run it through the parser using the "mailhosts bypass" method.

I don't think that the parser is having any problems with the message body, but I can't be 100% sure.

DT

[Wazoo]

http://www.spamcop.net/sc?id=z699871063z70...dc66c6ee630903z
Miss Betsy's spam sample parsed by user with no MailHost involved. Dates, line-wraps, etc. corrected ... but no evidence of the original poster's problem seen in this spam parse.

[OsakaWebbie]

Sorry for my silence - I signed up for email notification but never got any email (I'll check into that separately), so all the while you guys were talking about it, I assumed no one had replied at all.

Wazoo said, "Not sure where you came up with the "body must contain an e-mail" thing ..." The reason I said that is because what Spamcop was trying to resolve as a domain was not something in the header, but the single random word in the message body. Apparently David T successfully parsed Miss Betsy's posted message without putting in any message body at all - I didn't try it with no body, and now it's too old (as well as the one you did is too old to show me the info from the tracking URL).

I haven't gotten any others like it on other addresses of the same domain, so it doesn't look like a dictionary attack. Don't have a clue what they are trying to accomplish...

[DavidT]

I haven't seen any more of this type of message at any of the systems I work with on a regular basis...I think that maybe it was a temporary run of some sort of "zombie" attempts...but it's hard to say.

DT