dra007 0 Posted August 29, 2006 (edited) What is the purpose of this spam? http://www.spamcop.net/sc?id=z1046319691ze...c93f96e9830560z It contains unreadable code which I refuse to open in case it might trigger a virus. Does not seem to sell anyting and comes from Korean server. Was hoping some geek here could safely check the content. Just curious, I have been getting a few of these daily for some time now.. Edited August 29, 2006 by dra007 Share this post Link to post Share on other sites
StevenUnderwood 0 Posted August 29, 2006 What is the purpose of this spam? http://www.spamcop.net/sc?id=z1046319691ze...c93f96e9830560z It contains unreadable code which I refuse to open in case it might trigger a virus. Does not seem to sell anyting and comes from Korean server. Was hoping some geek here could safely check the content. Just curious, I have been getting a few of these daily for some time now.. We have been getting a bunch of this at work (also a Postini user) as well. I just assume it has been broken somewhere along the line, intentionally or not. I have not bothered to convert the attachment. I decided to play, converted the document (it is valid) and opened securely on another machine. Contents of your message: Hot Summer Specials! Viagra = $3 per pill (100mg) Viagra Soft = $3.66 per pill (100mg) Cialis = $3.75 per pill (20mg) Levitra = $4.90 per pill (20mg) Click Here for more info! Share this post Link to post Share on other sites
Jank1887 0 Posted August 29, 2006 (edited) from the spamcop parse, it's tough to tell what you mean by unreadable code. If you mean the Base64 encoding, that's how anything that isn't text is sent via email (MIME formatted, etc.). when you attach anything, a picture, a executable file, a zip file, etc, the email software encodes it into base-64 text. Email is a text ony medium, so that's how it gets transmitted. Your particular code is a MS Word document. I've been getting a lot of these lately. I even put in a feature request to parse the documents for links, since that's the actual "payload". (topic link: MS word / pdf attachment parsing... ) Edit: fixed link Edited August 29, 2006 by Jank1887 Share this post Link to post Share on other sites
dra007 0 Posted August 29, 2006 Thanks everyone...Payload or not I am reassured that reporting them is what needs to be done. The anoying thing is that the subject line in most of this type of spam references your account..etc. That made me wonder if they were also phishing for something.. Share this post Link to post Share on other sites
GraemeL 0 Posted August 29, 2006 (edited) (Oops. Just noticed Steven Underwood beat me to the punch with more information. I would probably have gotten the same if I had a machine with VMWare available.) I ran a decoder over the base64 word document. The only readable text in the binary soup was "Hot Summer Specials! Viagra". I didn't bother saving it to a file and trying to open it, even with Open Office instead of an MS product. You can't be too careful with any binary from an untrusted source. The readable part tells you all that you need to know. Edited August 29, 2006 by GraemeL Share this post Link to post Share on other sites
Jank1887 0 Posted August 31, 2006 (edited) That's one of the advantages of a gmail account is that they give you a view as html option. makes things a 'little' safer. I haven't seen anyone throw anything nasty in a MSWord doc yet that still executes when viewed as a converted html. Anyway, that readable text is likely an MSWord web link. That's how all of these that I've been getting have been set up. Edited May 29, 2019 by Jank1887 typo Share this post Link to post Share on other sites
dra007 0 Posted August 31, 2006 Good, then I just need to continue reporting them. You have to wonder why spamers send code that is unreadable in mainstream e-mail applications such as OE. Share this post Link to post Share on other sites
Wazoo 0 Posted August 31, 2006 Good, then I just need to continue reporting them. You have to wonder why spamers send code that is unreadable in mainstream e-mail applications such as OE. Because for way too many folks, having a ".doc" attachment will then pull up Microsoft Word (or possibly some equivalent) to render that "Word document" Share this post Link to post Share on other sites
Spamnophobic 0 Posted August 31, 2006 (edited) What is the purpose of this spam? http://www.spamcop.net/sc?id=z1046319691ze...c93f96e9830560z It contains unreadable code which I refuse to open in case it might trigger a virus. Does not seem to sell anyting and comes from Korean server. Was hoping some geek here could safely check the content. Just curious, I have been getting a few of these daily for some time now.. I use Toasted spam's base64 decoder for these: http://www.toastedspam.com/decode64 Though with help from SpamCop I have only had 2 spams in the last year and a half. Copy strictly only the "rectangular" code from "View entire message" into the decoder window and try the types one at a time. "Exe" isn't one of them so you run a minimal risk of triggering anything. If anything failed to resolve with any option, then I considered it probably an .exe i.e. probably virus. With those I just hit delete. Reporting spam-borne viruses was against our rules in those days (2004). All the html is shown as ASCII text so no links are clicked. Edited August 31, 2006 by Spamnophobic Share this post Link to post Share on other sites
Jank1887 0 Posted September 8, 2006 Good, then I just need to continue reporting them. You have to wonder why spamers send code that is unreadable in mainstream e-mail applications such as OE. because it typically shows up as the .doc attachment that it is. And we know that people LOOOVE to open unexpected attachments, and MANY computers have MS Office and can open those files. They aren't sending unreadable code. They're sending mainstream documents to the correct target majority. Share this post Link to post Share on other sites
Farelf 0 Posted September 8, 2006 I use Toasted spam's base64 decoder for these ...And an excellent tool it is. The inline code is sufficiently resolved in the first (default) type to indicate the code is indeed a "Microsoft Office Word Document" with such content asHot Summer Specials!Viagra = $3 per pill (100mg)Viagra Soft = $3.66 per pill (100mg)Cialis = $3.75 per pill (20mg)Levitra = $4.90 per pill (20mg) HYPERLINK [http link removed] Click Here for more info!Perfectly standard fare for those wishing to ponder the oxymoronic qualities of "Viagra Soft". ...They aren't sending unreadable code. They're sending mainstream documents to the correct target majority.Precisely. Share this post Link to post Share on other sites
GraemeL 0 Posted September 8, 2006 (edited) Anybody using Firefox might be interested in the Mnenhy extension. Amongst other things, it allows you to highlight text and decode (base64, rot-13 and uuencoded plus others) with a right click. I also use it with Thunderbird. I never open spam directly with Thunderbird, I just view source on it. The Nmheny decoder works while viewing the source, so no risk of actually exposing yourself by opening any suspicious email. Edited September 8, 2006 by GraemeL Share this post Link to post Share on other sites
