[Resolved] What's with these random garbage subjects in spam?

[elind]

Does anyone know if there is a point to these ridiculously long random character string subject names in many spam messages?

It can't be a reporting tracking ID because 80+ random characters can probably ID every grain of sand on the planet, if not the universe, and they haven't reached that volume yet.

[rconner]

Does anyone know if there is a point to these ridiculously long random character string subject names in many spam messages?

It can't be a reporting tracking ID because 80+ random characters can probably ID every grain of sand on the planet, if not the universe, and they haven't reached that volume yet.

In the old days (of open relay mail hosts), the reason was to break up runs of otherwise identical messages. Read about it here. Nowadays, when there's not much open relay spam anymore, I don't know what the reason would be, but some spammer might have cooked up a reason (and it could even be a valid one).

-- rick

[Farelf]

Does anyone know if there is a point to these ridiculously long random character string subject names in many spam messages?...

Not definitively, no. Maybe they defeat some user-level filters in one or more of several ways. If you had provided a tracking URL there might be more discussion. Ones like this one http://www.spamcop.net/sc?id=z2598669992z8...f773a09071ba13z serve no purpose that I can imagine except if some filters can't deal with subjects that long. Ones like http://www.spamcop.net/sc?id=z2598669945z5...345ecb2b1511e5z should be fairly much 'unfilterable' on the title line and the written date - Date: Mon, 09 Feb 3610 15:20:22 -0500 - is pretty mysterious too (will probably display as 1 Novermber 1976 on most e-mail applications and may fulfil some function in itself).

It is generally held to be pointless to try to see into the mind of the spammer. Whatever 'they' are trying to do is pretty pointless anyway. Nearly all of the stuff they send is never seen by a human (for example, the above examples *would* be caught by IronPort filtering which my ISP uses, if I chose to use it as very nearly all his other customers do). Any suggestion of tracking codes needs to be informed by the fact of these enormous 'losses'.

I've indulged you/wasted your time with 'hypotheticals'. That's OK, I wanted an excuse to mention the strange +1601=3610 dates (= Nov/Dec 1976 display) anyway. Yes, that could be a tracking code too - there's a small 'random' factor in the values there (looking at a small sample of the things) which seemingly isn't explained by Unix date conversion and variable delivery delays - but I think the notion of such codes, especially such complicated ones, is mostly paranoia. More likely to be a far more prosaic purpose being served (or simply a mis-set clock somewhere - but the random 'noise' would be a puzzle), too many possibilities to guess.

Give your own examples by the tracking URL of a reported instance in future (as is recommended process) for a more focussed discussion. Some of the knowledgeable folk here don't do 'hypotheticals'.

[elind]

R. Conner:

I can see that, but it doesn't take a line long enough to give the NSA headaches to differentiate even millions of spam.

Barring any other thoughts, I will guess just a sloppy program generating them that nobody bothers to correct, since only idiots read this stuff anyway and these details don't matter.

Farelf:

You are not wasting my time and hopefully not yours, or I wouldn't be here.

I'll be happy to provide tracking on some soon, I just thought everybody got these and there wasn't much point.

I suppose I could imagine that some filters might have been turned off by sentence long subject field, but obviously not now. On the other hand, while I don't have statistics at hand, I don't think I saw many of those a year or so ago.

I could be wrong.

Here's a recent one, although not the longest seen by any means:

subject: Subject: =?windows-1251?B?Q2hlY2sgbmV3IGRpc2NvdW50IHByaWNlcy4=?=

Tracking: http://www.spamcop.net/sc?id=z2599193261z1...652cb376aba080z

Of course we immediately notice that the spamcop tracking is even longer, which suggests that it is composed of several groupings of multiply byte data categories.

Perhaps that is all the spammers do too, although I wonder about the "=", "?" and the "windows" meanings?

[rconner]

Perhaps that is all the spammers do too, although I wonder about the "=", "?" and the "windows" meanings?

Well, the mystery is solved now that you posted the tracker.

The subject line isn't random, it is a MIME encoded word. It is not a virus, a web bug, or any similar sort of thing. If you had let this mail through SpamCop, and it reached your computer, your mail program would decode and display it as text in the indicated character set (Windows 1251). My (private) EW decoder gives the decode as "Aldridge Burke." Since you are viewing the mail in raw form on SpamCop, you do not get the benefit of the decoding.

Anticipating your question, you can find out about MIME Encoded-Word encoding here.

Nothing evil about using MIME EW in subject lines -- that's what it was meant for. In this case, a correspondent who uses cyrillic text (Windows-1251 here) can create subject lines in his native language, something that otherwise wouldn't be possible for him since bare SMTP e-mail can only support 7-bit ASCII. If you correspond with people in non-Latin-writing countries, particularly if they use their native languages, you will probably get a lot of MIME EW.

-- rick

[elind]

Always something new to learn and something not to make assumptions about. Thanks.