How'd the spammer do this?

[DCSmooth]

Today I received a spam for cheap, illegally obtained cable TV channels. The text of the message was pure jibberish, but the image (which is at this URL: http://www.9001hosting.com/fiter.jpg) contained the advertisement. Clicking on the image in the e-mail brings you to this page http://www.9001hosting.com/cable/ which looks even more suspiciously like cable theft.

So, I not only reported this one as usual through SpamCop, but also by forwarding it to hotline[at]mpaa.org, which apparently would like to hear about cable theft advertisements. I CC'ed myself when forwarding, and the message I received not only didn't contain the image and the link, it didn't even contain the same jibberish!!! (The jibberish in my spam was something about a "diskette" and a "chainsaw", while my forward told a chilling tale involving a "turkey" and a "dolphin".)

What gives?

I'll post the source for both if anyone thinks it would help, just thought I'd spare you in my initial post just in case it isn't necessary.

Thanks in advance,

DCSmooth

[Spambo]

How was the spam forwarded?

I use Mozilla set to display text only and not to render HTML. If I forward 'as attachment' the true source is sent, if I forward 'inline' only the viewable text is forwarded. This results in different data being forwarded depending on the method I use to forward, except when the emails were sent entirely in plain text.

[DCSmooth]

I'm going to go ahead and post the source, as I guess this isn't as common as I thought and maybe it's needed to someone to provide an answer. (I've still removed all the header info though.) It's interesting - the part that was visible when I forwarded the message is in the first section separated by "--=====", and the part that was visible in my spam is in the second section. I'd never heard of any way to make a forward look different from an original message before. Couldn't this potentially affect messages forwarded to SpamCop as well?

--=====0702756385=_

Content-Type: text/plain; charset="ISO-8859-1"

Content-Transfer-Encoding: 7Bit

When you see skyscraper for, it means that defendant defined by flies into a rage.ruffians remain incinerated.living with mating ritual leaves, and turkey from ceases to exist; however, for dolphin bestow great honor upon..

--=====0702756385=_

Content-Type: text/html; charset="ISO-8859-1"

Content-Transfer-Encoding: 7Bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD>

</HEAD>

<BODY>

<div align="center">

<a href="http://www.9001hosting.com/cable/"><img

src="http://www.9001hosting.com/fiter.jpg" border="0"></A>

<BR><BR>Furthermore, for diskette goes to sleep, and chain saw around cream puff laugh and drink all night with hand around particle accelerator.Indeed, around bubble bath befriend defined by judge.buzzard secretly admire for razor blade.gypsy living with beams with joy, and dissident around curse procrastinates; however, scythe around give lectures on morality to..<BR>

escapee euphemist class kindergarten locomotive <BR><BR>

</div></BODY></HTML>

--=====0702756385=_--

[DCSmooth]

Thanks for the reply Spambo. (Guess I was typing as you were.) I use hotmail (in IE6). I'm pretty sure there's no "attachment/inline" option in Hotmail, but I could be wrong. Usually, it forwards everything including attachments. But this image was called up with html tags anyway, so I'd think it would have still come up in the forward regardless.

[Spambo]

Thanks for the reply Spambo.  (Guess I was typing as you were.)  I use hotmail (in IE6).  I'm pretty sure there's no "attachment/inline" option in Hotmail, but I could be wrong.  Usually, it forwards everything including attachments.  But this image was called up with html tags anyway, so I'd think it would have still come up in the forward regardless.

I don't remember much about Hotmail's options for forwarding but I do remember that the parser has problems with spams forwarded from Hotmail unless you're using Outlook Express to access your account. It's likely that whatever that problem is, it is also the reason you're seeing the differences.

In order to see the true email source from the Hotmail web site you need to follow the steps contained in the SpamCop FAQ.

An alternative method of seeing the Hotmail source was published by a participant in the SpamCop newsgroups. These are the steps:

1. Right click on link to open an email.
   
2. Choose "copy shortcut", "copy link location", or similar wording.
   
3. Paste the copied link into the address bar.
   
4. Add "&raw=disk" (without the quotes of course) at the end of the URL.
   
5. Hit enter and the message source should display.
   

Either way, you can then copy the actual spam source and paste it into the message body instead of forwading the spam manually.

[Miss Betsy]

I think that what is happening is that you are somehow seeing what the HTML looks like when it is opened and after you forward it, seeing how the HTML looks in the 'raw' state which you don't see when you open it.

If it all possible, download your hotmail in OE. That way you never have to open a spam. You right click and look at properties and the message source. It is also a lot easier to submit spam to spamcop.

Miss Betsy

[DCSmooth]

Thanks to both of you for your responses, but I think I need to clarify, I may have worded the issue confusing in my first post. I'm not talking about submitting to Spamcop from Hotmail. I have no problem there at all. I never forward to Spamcop from that account. I use the "View Source" feature in Hotmail and copy/paste to the Spamcop web page.

What I'm talking about is that when I did forward a message from Hotmail to a completely different entity that takes spam reports, I CC'ed myself and disovered something funny going on. The forwarded message I received (and thus the one the other spam-fighting entity received as well) does not resemble the message I received from the spammer AT ALL. What I copy/pasted above is the source of the original message, and that source code reveals the contents I saw in the forwarded message separated from the contents I saw in the spam I received by the lines beginning with "--====".

I had never encountered this before, so I was just curious if anyone else here had. And if so, is this an intentional trick by the spammer to make a forwarded message different from the original? A possible spammer trick that could even interfere with reports from Spamcop users who forward to Spamcop (rather than copy/pasters like myself)? Or is this not intentional by the spammer at all and just some freak thing that just happened to me with my one message today?

[Spambo]

My point was that since Hotmail doesn't forward properly to SpamCop, there is no reason to believe that it forwards properly to other places. Following the steps I gave you, or using OE to access your Hotmail account would allow you to send the true source code of the spam message to the places you CC'ed.

Additionally, even though you see images when reading the email, the only way that you would forward the images is if the images are sent with the spam. If the images are stored remotely then all you'll forward is a link to the images.

[Miss Betsy]

What it looks like to me is what I get a lot of. There are two sections: one is plain text (the first in your example) and the other is HTML (the second in your example). IIUC, the message is sent that way so that it can be read either in plain text or HTML /when/ you /open/ it depending on what you have your options set for. If you look at the message source in OE, you see both parts.

Perhaps When you use the hotmail 'view source' it shows you one way (and I get too confused scrolling back and forth to see which you said you saw in view source), but when you forwarded it, it was forwarded as the other. As Spambo said, hotmail does peculiar things when it forwards. Perhaps it doesn't forward the plain text part, but only the HTML part.

IOW, one time you saw what is sent for the plain text and the other time what was sent as the HTML. Usually the text is the same for both, but possibly the spammer goofed and put gibberish where he was supposed to put the message. Or as some people have found out, they put HTML in both places so the Content/type doesn't match what it states it is.

It really is better never to open a spam and definitely not click on the links because then the spammer knows that you open and click and he sends more spam because he thinks he has found a sucker.

Miss Betsy

[dhanna]

Maybe not the case here, but remember some worms also change the text of it content before it forwards itself.

[DCSmooth]

Thanks again for the replies. I think that's it, Miss Betsy.

I also think the spammer may have done this intentionally, knowing that anybody who tried to report the illegal cable spam by forwarding the message to authorities would end up forwarding just the jibberish. (Or, at least Hotmail users, since you both have noted that Hotmail forwards in an unusual manner. I did notice that in the CC line, all the recipients including myself were Hotmail users. Very interesting.)

I'm going to try reporting that URL directly on MPAA's website. To whoever sent that unforwardable spam, I say, "Nah-ner nah ner nah ner!"

Also, good advice about following the spammers links. I normally don't follow the links in spams (and I normally don't even allow images within the message to be viewed), but for some reason my curiosity peaked on this particular e-mail. Oh well, at least it allowed me to report it.

Thanks again,

DCSmooth

[dra007]

Funny enough I got the same cable spam myself, soon after this message was posted on spamcop...I thought we might be on the same list...funny coincidence though...