Jump to content

Obfuscated HTML code in spam


klappa
 Share

Recommended Posts

I think the spammer has begun to obfuscate the html code in the body and therefore hide the href link in the mail from Spamcop. I think it's java scri_pt but i am not sure. Clicking the source headers make the body garbled unable to analyze anything. Is there away to reveal it for easy inspection?

Here's the Spamcop tracking URL

https://www.spamcop.net/sc?id=z6225928399z231c6716047d47bd33df0246ce797290z

Thanks!

It looks like this

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =charset=3Dwindows-1252"><title>Uncle adam taking another of villa =rosa.</title></head><body><p style=3D"color:#1E545B; =font-size:19pt">Hel̇lo  sexy =rabbit ))</p><p style=3D"color:#1E545B; font-size:19pt">i found =yo̯ur pics on FB . =you ar֣e cute !</p><p =style=3D"color:#1E545B; font-size:19pt">r u =onlịne? i want to get =f%cked by a stud right now =i'm 27́/f wُith big =b00bs. let's talk and =m̦eeًtup</p><p style=3D"color:#1E545B; =font-size:19pt"></p><p style=3D"color:#1E545B; font-size:19pt">my =page  - <a =href=3D"http://zzgdgjhp.Trut=04;Dating.ru"><u>http:/=;/zzgdgjhp.TruthDating.r=17;</u></a></p><p></p><p style=3D"color:#1E545B; =font-size:19pt"><b>Spank me while I suck =you g͔ood? SMS me [at] ="574-212-O295" !</b></p><p =style=3D"color:#1E545B; font-size:19pt"> TALK =S00N!</p></body></html>
Edited by klappa
Link to comment
Share on other sites

Thanks for the TRACKING URL
There is nothing magic about the body of this spam. They have just inserted several encoded printable and non-printable characters (xx) in between printable characters so you can see the text on the screen but it is harder to parse. If I replace the non-printable characters with "_" and underline the encoded readable characters, you can see what is on the screen. Starting on the 5th line after the html (font-size:19pt">)
Hel_lo sexy rabbit ))

So you can see the char "He", encoded "l", non-print char ̇, char "lo se", encoded "xy " (the "=" is a line continuation)
char "ra", encoded "bbit" and finely char " ))" followed by the html end of paragraph tag </p> QED

When you look at your spam email, you can see the link to pornography, I assume. The (a) parser can do the same, and be fairly sure of getting the correct link. The key here is "fairly sure." Wanting of have ZERO false-positives when identifying the source of spam or the links in the spam, SpamCop doesn't want to make an error when dealing with this obfuscation.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...