Jump to content

Obfuscated HTML code in spam


Recommended Posts

I think the spammer has begun to obfuscate the html code in the body and therefore hide the href link in the mail from Spamcop. I think it's java scri_pt but i am not sure. Clicking the source headers make the body garbled unable to analyze anything. Is there away to reveal it for easy inspection?

Here's the Spamcop tracking URL



It looks like this

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =charset=3Dwindows-1252"><title>Uncle adam taking another of villa =rosa.</title></head><body><p style=3D"color:#1E545B; =font-size:19pt">Hel̇lo  sexy =rabbit ))</p><p style=3D"color:#1E545B; font-size:19pt">i found =yo̯ur pics on FB . =you ar֣e cute !</p><p =style=3D"color:#1E545B; font-size:19pt">r u =onlịne? i want to get =f%cked by a stud right now =i'm 27́/f wُith big =b00bs. let's talk and =m̦eeًtup</p><p style=3D"color:#1E545B; =font-size:19pt"></p><p style=3D"color:#1E545B; font-size:19pt">my =page  - <a =href=3D"http://zzgdgjhp.Trut=04;Dating.ru"><u>http:/=;/zzgdgjhp.TruthDating.r=17;</u></a></p><p></p><p style=3D"color:#1E545B; =font-size:19pt"><b>Spank me while I suck =you g͔ood? SMS me [at] ="574-212-O295" !</b></p><p =style=3D"color:#1E545B; font-size:19pt"> TALK =S00N!</p></body></html>
Link to comment
Share on other sites

Thanks for the TRACKING URL
There is nothing magic about the body of this spam. They have just inserted several encoded printable and non-printable characters (xx) in between printable characters so you can see the text on the screen but it is harder to parse. If I replace the non-printable characters with "_" and underline the encoded readable characters, you can see what is on the screen. Starting on the 5th line after the html (font-size:19pt">)
Hel_lo sexy rabbit ))

So you can see the char "He", encoded "l", non-print char ̇, char "lo se", encoded "xy " (the "=" is a line continuation)
char "ra", encoded "bbit" and finely char " ))" followed by the html end of paragraph tag </p> QED

When you look at your spam email, you can see the link to pornography, I assume. The (a) parser can do the same, and be fairly sure of getting the correct link. The key here is "fairly sure." Wanting of have ZERO false-positives when identifying the source of spam or the links in the spam, SpamCop doesn't want to make an error when dealing with this obfuscation.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...