Jump to content
Sign in to follow this  
Bri

total newbie, sorry

Recommended Posts

Hello all, I am new to the spam fighting scene (I.E. spamcop) but consider myself a veteran in the war. I found this site a week or so ago looking for a way to continue to fight the battle but I have to confess I am a little lost about things that seem to be common knowledge here.

Thanks to many informative posts I have figured out what a "parser" is and it has been helpful, thanks to all.

I have many questions, but I think my first question would concern Zazinga.com...I received my first spam from this company on february 4, 2004, a who is search showed the domain registered february 3, 2004. The subject of the email was Accuquote, seems the company was "worried" what would happen to my family if I died. Since I know exactly when the email address in question was compromised I have kept a close eye on it for reasons of my own (I do not use email often and I am more careful than the average bear which means I have a very small "spam" problem). I receive spam on an irregular basis now from the company (which of course I have never subscribed to) and have noticed a relationship between the spam topics and radio ads. I have an ISP that states it has a spamguard service but I laugh a lot............Has anybody else received spam from this company and noticed the dates on the spam versus the domain date?

I also receive a type of spam that as the main subject includes drug ads (or whatever, penis enlargements seem to be a fun topic also) but if I highlight the page I see a series of quotes (non-related to each other) but I also receive the same spam without the quotes. Does anyone else get the spams with the quotes?

Sorry if I sound totally clueless, but knowledge starts at zero and moves up :)

Share this post


Link to post
Share on other sites

Bri, I too am a newbie but am eager to learn. I think a "spam PrImer for Dummies" forum might be useful.e.g. what little I know about the computer so far I picked up from a terrific magazine called Smart Computing whose motto is "In plain English" Throughout the magazine if they used the word "Parser", for example ,they would define it thus saving all the mystery for new comers.Sometimes those who are well grounded in subjects forget that they also had to begin somewhere and a little patience might go a long way.

Now off my pulpit... yes I have had similar quotes among a great many other strange gobbly goop in my spam mail. ??????? good hunting B)

Gary

Share this post


Link to post
Share on other sites

Thanks Gary for confirming the "quotes" thing. I am not a new computer user, just a newbie in the spam battle. Since the spam I am receiving has a direct correlation to the battle I have been fighting it was the next logical step to follow (to me anyway). Anyone else getting the quotes? Any info would be much appreciated.

Good Hunting to you also Gary, especially since you are the first I have ever seen outside of a certain game to use that phrase other than myself.

Share this post


Link to post
Share on other sites

go to Google .... type this in ---> define: parser <--- then hit the Enter key or click on the Google Search button. One of the listed definitions should help.

I'm concerned over some of your words ... "when I highlight the page" .... not exactly sure what you mean by that, but the normal action described in those words is not a "good" action. On the other hand, you make no mention of just what tools you are using to read / see / handle your spam. It may just be semantics, but when you ask a question using "your" definition of things, the answers you get may be way off target because "they" read your words with "their" definition.

You say you see "quotes" ... are you describing "famous last words" or is this your best description of HTML programming bits, or ..????

Your question as to whether anyone else receives spam that looks like yours is best answered by reading some of the quotes of the "big boys" that talk of anywhere from 50 to 80% of all mail handled is spam. Just last week, AOL stated that over 80% of all incoming e-mail was spam, adn they were rejecting millions of e-mails a day. One would have to take those numbers and easily admit that, yes, we are all seeing the same type garbage that you are. Your specific company, maybe not (yet<g>)

For a beginning text on things, Marge has a bit of attitude (ok, maybe should call it character <g>), but ... head off to http://home.att.net/~marjie1/index.htm and see if this helps get you on your spam-fighting crusade.

Edited by Wazoo

Share this post


Link to post
Share on other sites
I'm concerned over some of your words ... "when I highlight the page" .... not exactly sure what you mean by that

I have 2 email addresses, my questions are concerning my "throwaway" address at yahoo. HTML is turned off for the account and I do not use Outlook express.

By highlighting I mean clicking/holding the mouse and dragging it over the message body which shows the hidden text (as if I was going to copy/paste). The quotes are random phrases from random authors.

There seems to be a pattern to them, about 5 will show up in a weeks time, the first one will have all the quotes plainly readable. In the second one the type color gets a little lighter and so on until I receive 2 or 3 that must be "highlighted" to see the text. All stop for a day or so then the cycle repeats itself.

The first time this "cycle" started it was a little different though. The first spam only had the words "how to start the building". Each consecutive email told the story on how to build a log cabin and they continued until the words "disappeared" and the cabin was built.

I am sure I am receiving the same type of spam as many others, I am also sure that one or two are directed at me personally (having nothing to do with my reporting of spam). I was just trying to rule out the "quote" spam as targeted to me as some of the quotes are a little odd.

Thanks for your time in answering, I will follow up on the link you gave for Marge.

Share this post


Link to post
Share on other sites

Funny, the build a cabin spam showed up within an hour or so of mentioning it here, this time with all the instructions printed in one email rather than a series. Again, the instructions are hidden until I copy/paste which I have done here for reference. I have also edited the "porn" text a bit with astericks as it is nasty, but I did leave the majority for clarity on where it falls in the main body of the email.

From vina elvira Sun Feb 15 11:46:35 2004

X-Apparently-To: xxxxxxx[at]yahoo.com via 216.155.196.69; Sun, 15 Feb 2004 11:53:04 -0800

X-YahooFilteredBulk: 217.255.78.30

Return-Path: <xxxxxx[at]yahoo.com>

Received: from 217.255.78.30 (HELO pD9FF4E1E.dip.t-dialin.net) (217.255.78.30) by mta189.mail.scd.yahoo.com with SMTP; Sun, 15 Feb 2004 11:53:03 -0800

Received: from unknown (HELO CCCC) (192.168.127.58) by pD9FF4E1E.dip.t-dialin.net with SMTP; Sun, 15 Feb 2004 11:46:59 -0800

Message-ID: <00f801c3f3fc$6b0f9f80$0a00a8c0[at]CCCC>

From: "vina elvira" <xxxxxxx[at]yahoo.com> Add to Address Book

To: "evangelin" <xxxxxxx[at]yahoo.com>

Subject: Hello! Have Your Way with Married ****balls babnaze

Date: Sun, 15 Feb 2004 11:46:35 -0800

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="----=_NextPart_000_00F5_01C3F3FC.F26CD511"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1158

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

Content-Length: 2566

place during the early part of the building's construction.

When the desired height of the walls has been attained, you are ready to construct the roof. There are several ways of framing this. Continue laying the end logs as before, but set each pair of side logs a little farther in than the preceding pair, until they finally meet at the peak of the roof.

If you are a straight man between the ages 20-65 we need you! We have 100,000 women that are starving for **** right now.

These women are young or mature, experienced or beginners, in all colors, shapes and sizes, some of them are married and some are divorced, some are single as well but they all have one thing in common... they are all Hungry ******!

So if you'd like to help, pick one and let her know you're available *****. You can't leave these women hungry...

Please help!

When the desired height of the walls has been attained, you are ready to construct the roof. There are several ways of framing this. Continue laying the end logs as before, but set each pair of side logs a little farther in than the preceding pair, until they finally meet at the peak of the roof.

Two bunks should be arranged in a corner of the cabin. Erect two posts thirty inches from the wall, and fasten two cross-pieces, about twelve inches from the floor. Cut some straight poles about three feet long, and gain one end of each into the wall, and fasten the other ends to the crosspieces. Place these poles about six inches apart, and cover them with a thick layer of straw.

First cut an opening about three feet high and five feet wide in the end of the cabin for the fireplace. Then build up the chimney in the same manner as you did the cabin walls, until it extends two feet above the top of the fireplace. Use large logs for this portion of the chimney and fit the ends against the logs of the main structure. When this has been done, make a stone hearth, filling in the stones with clay, and packing them down until they are level with the floor joists. Make the clay linings of the sides of the fireplace from ten to twelve inches thick, beating the clay until it becomes hard. Smaller sticks may be used for the upper part of the chimney. Lay these up in clay mortar and line the inside with clay as the work proceeds. Fasten a shelf above the fireplace on wooden brackets.

Tired of These Tidbits: PRESS THIS

RcptName: xxxxxxxx[at]yahoo.com

Share this post


Link to post
Share on other sites

OK, you made me go check my Yahoo e-mail ... gads, zero in the Inbox, but 392 in the spam folder ... OK, some new options, went through the preferences .. one of which is to "turn off the graphics" which might be of benefit to you. Where the pictures are will show up as a grey box (on my screen)

Problem, I could not find an option to "show me the source" of the spam, All I could see was the choice between "Brief" and "Full" headers ... but, though this owrked, the problem is in the rendering of the actual body part of the e-mail/spam. So to help explain, there's a line in the headers you've shown;

Content-Type: multipart/alternative; boundary="----=_NextPart_000_00F5_01C3F3FC.F26CD511"

The catch is that you "should" see the stuff in quotes in the massage body a couple of times, but it doesn't show up at all in your copied text. So we're back to Yahoo showing you the "full" headers, but rendering the HTML in the body, rather than showing you what's really there.

So first of all, yes, the "quotes" you're seeing are the typical way they try to get around Baysian filters. The problem is in how to report them. I believe the way to do this is to use the "Forward" option, will assume "as an attachment" and submit this to SpamCop. Catch is now, I can't recall seeing what type of account you have, so I'm not sure which way to try to tell you to address the Forward.

Share this post


Link to post
Share on other sites

Thanks JeffG .. Now why didn't that come to my mind? <g> Lost in the research is the only excuse I can come up with (wonder if it'll work? <g>)

Share this post


Link to post
Share on other sites

I only get 11 a day and not all look like this. I have been forwarding all to spamcop reporting for a week or so now (as attachments) and I also have the graphics turned off in yahoo. In most cases I also just see an empty gray box. But in the case of the spam in question here I can see the text in the html with blanks for the pictures.

I was just curious why the random sentences were given and I believe you have answered the question. I knew the ones with random lettering added as a paragraph were probably for filters so it seemed this would be the case with the sentences also. Thank you all for the insight.

Share this post


Link to post
Share on other sites

Good news. Thanks for the follow-up, sorry it took so much wrangling to get to this point. Good luck in your new career as a fellow spam-fighter!

Edited by Wazoo

Share this post


Link to post
Share on other sites

oops, sorry, I did have one more rather goofy question. What is the purpose of the spam that come in with a Java scri_pt written in at the bottom (I have scri_pt disabled aslo)?

Share this post


Link to post
Share on other sites

Not seeing what the scri_pt was, it'd be hard to guess ... might be code to have the infamous dancing beer bears do the polka on your screen, might be some nasty code trying to get around your defenses, or even worse, an attempt to foil the SpamCop parser .... unfortunately, that's part of the "joy" of having the basic e-mail function so screwed by allowing all this other garbage to go on, so this is another one of those "show us what you got" things <g>

Share this post


Link to post
Share on other sites

Ok, this one is the most recent, I get them once a week or so, the scri_pt changes along with the ad.

efcn nkiy <constable[at]dakotaconnect.com> wrote:

From efcn nkiy Tue Feb 10 00:39:36 2004

X-Apparently-To: xxxxx[at]yahoo.com via 216.155.196.72; Tue, 10 Feb 2004 00:39:53 -0800

X-YahooFilteredBulk: 68.114.53.83

Return-Path:

Received: from 68.114.53.83 (HELO cpe-68-114-53-83.vt.charter.com) (68.114.53.83)

by mta222.mail.scd.yahoo.com with SMTP; Tue, 10 Feb 2004 00:39:52 -0800

Received: from unknown (HELO BDBABD) (192.168.137.34)

by cpe-68-114-53-83.vt.charter.com with SMTP; 10 Feb 2004 08:39:51 +0000

Message-ID: <000201c3efb1$69d01400$a38a50d5[at]BDBABD>

From: "efcn nkiy"

To: "wshwbakri pralat yiechpdezp"

Subject: ot cheap vaiagra gelnepi.

Date: Tue, 10 Feb 2004 08:39:36 +0000

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_FFFF_01C3EFB4.85E2F7D0"

X-Priority: 3

Content-Length: 1479

Hello uinspoaxhi mo es!

One Time dicsuont order for cehpaest vaiagra.

For more info open atathced file.

HTML Attachment [ Download File | Save to my Yahoo! Briefcase ]

branching = new Array(79, 120,253,99,131,98,104,48,215,0,164, 71,131,202,16,152,95,13,124,170,222, 172,189,158,175,8,124,211,198,81,228, 52,110,178,251,235,201,206,32,233,163, 138,225,5,200,58,137,151,45,180,196, 28,174,215,224,24,247,229,89,98,227, 244,87,141,28,135,30,153,161,108,68, 138,206,122,140,163,235,209,187,51,77, 7,30,203,71,181,115,90,91,141,46, 136,106,174,149,105,247,60,9,125,227, 141,191,228,211,235,74,119,213,214,73, 253,35,58,247,231,209,198,216,120,174, 251,153,227,88,170,94,193,221,11,133, 184,122,161,225,191,118,203,248,80,122, 254,227,3,159,17,147,12,128,251,121, 87,216,149,65,199,230,254,219,168,32, 3,17,66,198,89,188,57,23,26,143, 39,193,104,168,128,61,224,6,4,112, 172,218,239,161,202,171,20,52,215,196, 65,173,1,31,217,202,197,143,128,36, 186,163,218,164,0,154,118,149,134,55, 176,195,17,176,155,194,61,149,168,80, 102,242,246,64,199,95,149,15,143,225, 104,11,152,194,114,142,249,230,210,187, 59,79,26,81,221,75,144,53,1,7, 217,123,208,63,247,198,59,241,2,13, 105,191,214,235,187,181,178,28,108,130, 135,21,175,124,27,213,219,203,147,147, 36,164,247,135,177,88,170,94,193,221, 11,148,180,114,161); recycling = new Array(115, 48,169,46,207,92,101,58,235,72,225, 6,199,244,29,146,99,96,25,222,191, 140,213,234,219,120,81,182,183,36,141, 66,83,144,137,142,175,188,69,154,203, 168,193,102,167,84,253,242,67,192,249, 62,159,236,181,74,187,216,49,22,151, 132,109,162,51,240,105,238,143,28,37, 250,171,8,161,198,135,180,221,82,35 ); doles = 296; ire = 81; var lick = ""; for(barge = 0; barge < doles; barge++) lick = lick + String.fromCharCode(branching[barge] ^ recycling[barge % ire]); document.write(lick);

Edited by Bri

Share this post


Link to post
Share on other sites

ok, that whole bunch of garbage was code that would have (if you'd had your defenses down <g>) to display the actual spam crud on your screen. The "documentwrite" action is the tool that takes all the "garbage" stuff and converts it to "text" (a loose interpretation there) so that your web browser could interpret the code to display the words.

and yes, SpamCop doesn't go through the interpretation mode, so any embedded links in there are not found by the "parser" <g> (There's that word again!)

Share this post


Link to post
Share on other sites

Ok, I think I understand what you just said, but I still really dont get the point to sending it as an scri_pt attachment. But then again, a lot of people know to turn the graphics off, but few are aware of the danger of scri_pt so may not have it blocked.

Since it has a downloadable attachment , does that mean if I had had scri_pt enabled it would have started an automatic download of the attachement?

Share this post


Link to post
Share on other sites

Yep, you've got it. Spammer trying to take advantageof those running in an insecure mode. The "download attachment" part maybe slightly wrong, at best it would have "executed" in your browser and displayed all the "good important" stuff <g>

Share this post


Link to post
Share on other sites

Great, thanks for your patience and info :). I cant promise I will quite asking silly questions, but I will stop for now ;-)

after one more lol, how does the attachment for downloading figure into all this?

Edited by Bri

Share this post


Link to post
Share on other sites

There is "inline" stuff (already included in your email message text).

There is "online" stuff (that is downloaded from the sender's server).

The "online" stuff is particularly dangerous (particularly in HTML) as

it notifies the sender and can execute or download some "nasties".

Want to be safer?? Don't use HTML email, use an anti-virus program

and a good firewall and never click on any "executable" attachments.

Share this post


Link to post
Share on other sites
Want to be safer?? Don't use HTML email, use an anti-virus program

and a good firewall and never click on any "executable" attachments.

thanks, I already do all of this. I am not trying to be safer, I am conducting a personal study that has walked me neatly into spam (thanks to one or two jerks) and I am asking these questions to better understand the differences in scri_pt intended to launch porn spam images and scri_pt that may be hidden in what seems to be a simple spam email intended to launch viruses and such (if that made any sense at all!)

Share this post


Link to post
Share on other sites

I'm thinking that you already know the answer <g> E-mail is a tool for passing some short bit of data to someone else. (I'm going to emphasize "short" .. folks asking on why they have problems sending their 10 to 50Meg files just simply amaze me <g>) As Java and java scri_pt are both a form pf programming language, there should be no reason at all to use this coding in an e-mail. To me, anytime I see any sort of "programming code" (and that includes HTML), it's headed for the Delete pile. (of course, after taking a look-see that it isn't another one of my "clients" that I'll be looking to get a phone call from in the following few minutes <g>)

I've dropped some pretty darn good newsletters as they decided that HTML "was the way" .... A number of old friends will call me, but "never" e-mail me due to my response to their bad-music encrusted HTML'd e-mails with the fantastic moving pictures of the fake snow falling on the fake ground in front of the fake house by the fake lake with ripples ... well, I'll bet you've seen that one too <g>

One should normally only expect to see any scripting in an e-mail based on you being a programmer of some sort and your friend/client/customer is asking you for a review of that specific code. If you're not in that type of support issue, any scripting should be seen as "bad" ....

In general, the virus stuff you hear about isn't in the e-mail itself, per se. It's normally included as an attached file, with some sort of social engineering involved to entice the recipient to happily click, click, click, with the end result of actually running a real - live executable program.

Edited by Wazoo

Share this post


Link to post
Share on other sites

One Time dicsuont order for cehpaest vaiagra.

For more info open atathced file.

HTML Attachment [ Download File  |  Save to my Yahoo! Briefcase ] 

branching = new Array(79, 120,253,99,131,98,104,48,215,0,164, ......

Yes Wazoo, you are correct, I was aware of what you have stated, I am sorry I am so bad at asking questions....My last question was about the quote above. I understand that the scri_pt is executed as soon as the the spam is opened. My confusion is coming from my choices listed once I am in the email (my scri_pt is disabled of course). Once I open the spam I see the scri_pt, it is the Download file that is causing my confusion. If spam scri_pt is executable which is not the same thing as downloading I am left to conclude there really is an attached file who's name and extension(?) I cannot see listed in the email anywhere.

I have received an email similar to this set-up before from a different source than spam and I am interested not only because of the Java, but because of the attachment itself. What are the odds the attachment involves more than a "fun" little pic or advertisement in your opinion?

If one clicks on an HTTP link in an email that has a text attachment (which was not downloaded) and follows a link on that accessed site to another and then immediately begins being spammed in a "new" box with porn within 12 hours, do you think there may be a link?

I truly am sorry for taking up your time Wazoo, but these are questions I have been dying to ask someone and you all have been a big help.

Share this post


Link to post
Share on other sites

OK, had you had "HTML allowed" set in your Yahoo preferences, (no guarantee here, but please play along with me <g>), instead of all the scripting you posted, you would have seen the "pretty picture" ot "important text" that the scri_pt would have normally accomplished. Now to be honest, the spammer probably made the assumption that you'd have actually "opened up the e-mail within Outlook or Outlook Express on "your" computer, assuming that your configurations let these scripts run wild. That you are actually "reading" this e-mail on the Yahoo server via a web browser with the already mentioned security settings (as I'm doubting that Yahoo would even attept to run a java scri_pt file, but this just confuses the issue right now) messes up the spammer's plan. So Yahoo showed you the "text" portion of the spam, but also gave you the indicators that there was a file attachment.

So at this point, you're looking at the "text", but the alleged attached file is still setting on the table, waiting to see if you want to pick it up. If you click the "Download file" button, you'll end up seeing the same pop-up screen you'll see if you've ever downloaded a file off the net via your web browser .... questions like where do you want to save the file, and the chance to change the file name, etc.

Now, if you clciked the button, then hit the save on this next pop-up, you'll end up with that "file" sitting somewhere on your hard drive. Still benign, but just waiting for the day when you'll say to yourself .. "what the heck i this file for?" and because it's not a ".TXT" file type, you just might do the double-click thing and thereby tell it and give it permission to run. Damage is now done ... It's this invocation of the "let's fire it up" action that is the trigger point.

OK, so now we move to the "just any old file attachment" scenario .. years ago, it was simple .. I would advise that if didn't know who sent it, delete it. Unfortunatly, the next step in the social engineering was the virii type that read the victim's address book and sent things out to people that the victim knew, and those folks received something from someone they knew. So I had to modify my words to .. if you don't know who it came from and / or why they sent it, delete it. But some folks just can't grasp this ... I had one woman tell me (<5 minutes after I'd received an e-mail from her with an attached virus) that yes, she surely did click on that paper clip thing .. simply because she wanted to see if it was one of those things that I'd told her never to click on <g>

Issue with file names. Microsoft, in the effort not to confuse the user, defaults Windows Explorer to NOT show file extensions (and even further, actually hide a lot of files from being seen) So this leads to a problem when the user even takes the time to look at the file name before giving it the "do it" click ... example;

user sees: lookatthis.txt

real file name: lookatthis.txt .com

problem being that all those spaces moved the real file extension off the screen, so the user thinking that it's only a "text" file and "knows" that this means it's not a virus, goes on ahead and "opens" it up to read the expected words. Some dirty dogs are even nice to actually have their executable ".com" file really put some text up on the screen .. but the real work is going on in the background ...

OK, now to the "click on a link" ... an ordinary web link (URL) looks like http://www.somewhere/com ... but the concerns you raise are about URLs that look more like http://www.somewhere/com/?whoisthisthatsclickingonmylink

You'll still get to the web-site, but at that web-site, in the logs of who's been here, there's going to be an entry that says "you" came to this page, your computer's IPAddress was [insert your IP here], and it's going to have that "tracking code" (whatever was after the "?" in the above link example)

A "good" marketer would be looking to see how effective the advertising was, things like did the ad attract attention, did it cause a click-through, did it lead to a sale ....

The "bad" side of it is someone embedding specific and certain information that tracks the e-mail sent out to whom, and just which whom's were gullible enough to follow the link ... thus begins the infamous "known, good, active, make-me-a-lot-of-money" e-mail addresses list .... and somehow I'm guessing that this answer fits right in with your "click on a link and spam shows up real soon afterwards" question.

whew! hope there's something in here you can use <g>

Edited by Wazoo

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×