Jump to content
Sign in to follow this  
dra007

what is the purpose of this spam

Recommended Posts

What is the purpose of this spam?

http://www.spamcop.net/sc?id=z1046319691ze...c93f96e9830560z

It contains unreadable code which I refuse to open in case it might trigger a virus. Does not seem to sell anyting and comes from Korean server. Was hoping some geek here could safely check the content. Just curious, I have been getting a few of these daily for some time now..

Edited by dra007

Share this post


Link to post
Share on other sites

What is the purpose of this spam?

http://www.spamcop.net/sc?id=z1046319691ze...c93f96e9830560z

It contains unreadable code which I refuse to open in case it might trigger a virus. Does not seem to sell anyting and comes from Korean server. Was hoping some geek here could safely check the content. Just curious, I have been getting a few of these daily for some time now..

We have been getting a bunch of this at work (also a Postini user) as well. I just assume it has been broken somewhere along the line, intentionally or not. I have not bothered to convert the attachment.

I decided to play, converted the document (it is valid) and opened securely on another machine. Contents of your message:

Hot Summer Specials!

Viagra = $3 per pill (100mg)

Viagra Soft = $3.66 per pill (100mg)

Cialis = $3.75 per pill (20mg)

Levitra = $4.90 per pill (20mg)

Click Here for more info!

Share this post


Link to post
Share on other sites

from the spamcop parse, it's tough to tell what you mean by unreadable code. If you mean the Base64 encoding, that's how anything that isn't text is sent via email (MIME formatted, etc.). when you attach anything, a picture, a executable file, a zip file, etc, the email software encodes it into base-64 text. Email is a text ony medium, so that's how it gets transmitted.

Your particular code is a MS Word document. I've been getting a lot of these lately. I even put in a feature request to parse the documents for links, since that's the actual "payload". (topic link: MS word / pdf attachment parsing... )

Edit: fixed link

Edited by Jank1887

Share this post


Link to post
Share on other sites

Thanks everyone...Payload or not I am reassured that reporting them is what needs to be done. The anoying thing is that the subject line in most of this type of spam references your account..etc. That made me wonder if they were also phishing for something..

Share this post


Link to post
Share on other sites

(Oops. Just noticed Steven Underwood beat me to the punch with more information. I would probably have gotten the same if I had a machine with VMWare available.)

I ran a decoder over the base64 word document. The only readable text in the binary soup was "Hot Summer Specials! Viagra".

I didn't bother saving it to a file and trying to open it, even with Open Office instead of an MS product. You can't be too careful with any binary from an untrusted source.

The readable part tells you all that you need to know.

Edited by GraemeL

Share this post


Link to post
Share on other sites

That's one of the advantages of a gmail account is that they give you a view as html option. makes things a 'little' safer. I haven't seen anyone throw anything nasty in a MSWord doc yet that still executes when viewed as a converted html.

Anyway, that readable text is likely an MSWord web link. That's how all of these that I've been getting have been set up.

Edited by Jank1887
typo

Share this post


Link to post
Share on other sites

Good, then I just need to continue reporting them. You have to wonder why spamers send code that is unreadable in mainstream e-mail applications such as OE.

Share this post


Link to post
Share on other sites
Good, then I just need to continue reporting them. You have to wonder why spamers send code that is unreadable in mainstream e-mail applications such as OE.

Because for way too many folks, having a ".doc" attachment will then pull up Microsoft Word (or possibly some equivalent) to render that "Word document"

Share this post


Link to post
Share on other sites

What is the purpose of this spam?

http://www.spamcop.net/sc?id=z1046319691ze...c93f96e9830560z

It contains unreadable code which I refuse to open in case it might trigger a virus. Does not seem to sell anyting and comes from Korean server. Was hoping some geek here could safely check the content. Just curious, I have been getting a few of these daily for some time now..

I use Toasted spam's base64 decoder for these:

http://www.toastedspam.com/decode64

Though with help from SpamCop I have only had 2 spams in the last year and a half.

Copy strictly only the "rectangular" code from "View entire message" into the decoder window and try the types one at a time. "Exe" isn't one of them so you run a minimal risk of triggering anything. If anything failed to resolve with any option, then I considered it probably an .exe i.e. probably virus. With those I just hit delete. Reporting spam-borne viruses was against our rules in those days (2004).

All the html is shown as ASCII text so no links are clicked.

Edited by Spamnophobic

Share this post


Link to post
Share on other sites
Good, then I just need to continue reporting them. You have to wonder why spamers send code that is unreadable in mainstream e-mail applications such as OE.

because it typically shows up as the .doc attachment that it is. And we know that people LOOOVE to open unexpected attachments, and MANY computers have MS Office and can open those files.

They aren't sending unreadable code. They're sending mainstream documents to the correct target majority.

Share this post


Link to post
Share on other sites
I use Toasted spam's base64 decoder for these ...
And an excellent tool it is. The inline code is sufficiently resolved in the first (default) type to indicate the code is indeed a "Microsoft Office Word Document" with such content as
Hot Summer Specials!Viagra = $3 per pill (100mg)Viagra Soft = $3.66 per pill (100mg)Cialis = $3.75 per pill (20mg)Levitra = $4.90 per pill (20mg) HYPERLINK [http link removed] Click Here for more info!
Perfectly standard fare for those wishing to ponder the oxymoronic qualities of "Viagra Soft".
...They aren't sending unreadable code. They're sending mainstream documents to the correct target majority.
Precisely.

Share this post


Link to post
Share on other sites

Anybody using Firefox might be interested in the Mnenhy extension. Amongst other things, it allows you to highlight text and decode (base64, rot-13 and uuencoded plus others) with a right click.

I also use it with Thunderbird. I never open spam directly with Thunderbird, I just view source on it. The Nmheny decoder works while viewing the source, so no risk of actually exposing yourself by opening any suspicious email.

Edited by GraemeL

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×