tudorbug Posted November 25, 2005 Share Posted November 25, 2005 A question, please. I have been receiving mail that originates from domains that I have recorded as persistent sources of span. This spam consists of a portion of text such as: "and was shut up like a family vault I was still painfully conscious of my youth But now I mean to do it returned the stocky My first master will succeed me at the bottoms of several small decanters I am of this opinion because while I was reading" which is an exact copy of a recent one and attachment which is a *.gif file. In the example at hand the attachment was named "Ufief" followed by the .gif ending. I have never dared open one of the attachments. My spam load is eight to 15 to 20 emails a day. Half or more are of this type with the remainder consisting of the usual opportunities to purchase porn, replica watches, medical supplies and so forth. Each is processed using SpamCop and the domains are carefully added to my Norton Anti-spam file. Is any one else experiencing these instances of spam consisting of meaningless text with a *.gif attachement or am I alone? And, what is the purpose from the spammer's end of sending such email? It contains absolutely no hope of selling anything. Thank you very kindly, David Link to comment Share on other sites More sharing options...
Wazoo Posted November 25, 2005 Share Posted November 25, 2005 Is any one else experiencing these instances of spam consisting of meaningless text with a *.gif attachement or am I alone? And, what is the purpose from the spammer's end of sending such email? It contains absolutely no hope of selling anything. 36600[/snapback] This posting was found in the Forum section SpamCop Discussion > Discussions & Observations > How to use .... > SpamCop Forum ... yet, there is nothing seen of a "How to use the Forum" question, remark, or tutorial offered ... Post is therefore being moved to the Lounge area (based on that there wasn't even a Reporting issue being brought up. Link to comment Share on other sites More sharing options...
agsteele Posted November 25, 2005 Share Posted November 25, 2005 Is any one else experiencing these instances of spam consisting of meaningless text with a *.gif attachement or am I alone? And, what is the purpose from the spammer's end of sending such email? It contains absolutely no hope of selling anything. 36600[/snapback] Can't say for sure but my expectation is that these attachments are worm/trojan type files. The true extension is probably being hidden by your mail program. You are right to be suspicious. Andrew Link to comment Share on other sites More sharing options...
Lking Posted November 25, 2005 Share Posted November 25, 2005 Sounds like standard spam to me David. The random text is an effort to get pasted spam filters. Of course it doesn't fool my Norton Anti-spam filter either. But there are others in the world not as well protected as you are. You are correct to NOT open any of the attachments. One of the current trends in spam is to put the text advertising viagra, porn, watches, etc. in a graphic file (*.gif) so that anti-spam programs like yours can't find 'key words' use to identify spam. When the unwary click on the graphic you are sent to their web page which may download malicious software onto your computer, in addition to trying to sell you something. Keep vigilant and keep using SpamCop to report report the spam. Link to comment Share on other sites More sharing options...
Jeff G. Posted November 25, 2005 Share Posted November 25, 2005 When the unwary click on the graphic you are sent to their web page36605[/snapback] What is the exact mechanism for this? I thought "gif" was a "safe" extension to view. Thanks! Link to comment Share on other sites More sharing options...
tudorbug Posted November 25, 2005 Author Share Posted November 25, 2005 Folks: I extend my sincere thanks for your thoughtful replies. It had not occurred to me that the *.gif file might contain the connection to what the spammers would be trying to sell. I am grateful. I will continue to address such email with the full capability offered by SpamCop. Very kindly, David Link to comment Share on other sites More sharing options...
Lking Posted November 25, 2005 Share Posted November 25, 2005 What is the exact mechanism for this? I thought "gif" was a "safe" extension to view. 36608[/snapback] <HTML> <BODY> <A href="http://www.spamaroma.webpage.gotya.de"> <IMG src="your_Message.gif"> </BODY> </HTML> The above code is in your email, so when you click on the anchor, the href is loaded into your browser along with any malware that the spammer chooses. Of course, there are several levels of protection one can take to prevent this scenario from working. There are still people that can't resist clicking on the cheap watch/cartoon etc. But than that's why it works and there is always more zombies. Lou Link to comment Share on other sites More sharing options...
Jeff G. Posted November 26, 2005 Share Posted November 26, 2005 But it is safe to view the "gif" attachment without rendering the HTML, right? I do this sometimes, to confirm the content when the source of the headers and body are inconclusive re solicitedness. I can do this in OE6 because I "Read all messages in plain text". Link to comment Share on other sites More sharing options...
Farelf Posted November 26, 2005 Share Posted November 26, 2005 But it is safe to view the "gif" attachment without rendering the HTML, right? ... 36619[/snapback] Any image can contain extra data. Not aware of any exploits using the trick but apparently it is possible - see http://www.jjtc.com/Steganography/ I'm curious - are many of those images you "see" malformed - unviewable? There was quite a furore in the Eudora forums some time ago, "they" noticed it because of a resource leakage problem freezing up their systems when Eudora tried to render the things - http://eudorabb.qualcomm.com/showthread.php?t=5251 On a sample of one of a similar type to that mentioned in the OP I found the attached .gif was unviewable. Probably just another example of spammer incompetence (Hanlon's Razor - "Do not attribute to malevolence what can be ascribed to simple incompetence."), but one can't be sure. How pathetic - noticed one of the respondents in the Eudora forum "emailed the spammer's website, asking that the .gifs be fixed so he could receive his spam properly"!!! Also, note their Moderator's signature - something to emulate? Link to comment Share on other sites More sharing options...
Jeff G. Posted November 26, 2005 Share Posted November 26, 2005 note their Moderator's signature - something to emulate?36623[/snapback] Do you mean this one from http://eudorabb.qualcomm.com/member.php?userid=125?Before posting a message, please take the time to SEARCH for threads where the same question has already been answered. You make it harder on everyone by starting an entirely new thread for a question that has already been addressed. When posting ALWAYS include information about: 1. the version of Eudora you are using? 2. Paid, Light or Sponsored Mode? 3. the version of Windows you are using? WHEN RELEVANT tells us: 4. Which Anti -Virus, -spam and -Spyware program(s), firewall you are using ? Link to comment Share on other sites More sharing options...
Lking Posted November 26, 2005 Share Posted November 26, 2005 I do this sometimes, to confirm the content when the source of the headers and body are inconclusive re solicitedness. I can do this in OE6 because I "Read all messages in plain text". 36619[/snapback] Well Jeff, between us girls, I wouldn't. Looking at your sig file, I wonder why a belts and suspenders guy like you (or me) would. <g> In the earlier post I was referring to the displayed graphics, not the file (*.gif), but Farelf make a good point. Not to be overly paranoid I think at this time the risk is probably fairly small. And with proper (updated) protection ... On a strictly personal note "solicitedness"? I'm having trouble finding that in my English to second language dictionary <g>. Link to comment Share on other sites More sharing options...
Jeff G. Posted November 26, 2005 Share Posted November 26, 2005 On a strictly personal note "solicitedness"? I'm having trouble finding that in my English to second language dictionary <g>.36626[/snapback] The initial definition (see below) of "solicitedness" was "whether or not the recipient has requested (explicitly or implicitly) that the message be sent." I would extend the recipient portion to include the recipient's heirs, successors, and assigns. I consider "solicitedness" to be a probability, ranging from 0% to 100%. For some accounts I monitor and/or own, I need to examine the content, because the intended recipient says "I only solicited certain types of emails from that entity". Ref: 23 hits at http://www.google.com/search?q=solicitedne...en&lr=&filter=0, 45 hits at http://groups.google.com/groups?q=solicite...r=0&sa=N&tab=wg, and especially the following first reference I found at http://groups.google.com/group/news.admin...._Zbqc9mhv-tzYzF (emphasis mine):From: gbyshenk[at]tezcat.com (gregory byshenk) Subject: Re: WHO IS RBL? Date: 1998/02/01 Message-ID: <1998020118091010181104[at]gbyshenk.tezcat.com>#1/1 X-Deja-AN: 321200705 References: <6aa967$ae7[at]sjx-ixn1.ix.netcom.com> <6aafk2$5kh[at]dfw-ixnews3.ix.netcom.com> <slrn6chjo3.ais.postmaster[at]fdma.fdma.com> <6aalnl$jvf[at]sjx-ixn8.ix.netcom.com> <34cf6015.5921555[at]news.tds.net> <34d07b3e.2335756[at]client1.news.psi.net> <6aoodm$pl6[at]calcite.rhyolite.com> <34d58604.9079212[at]news.mindspring.com> <6aqkum$rsl[at]calcite.rhyolite.com> <34d1cbbe.2955404[at]news.mindspring.com> <6at8lc$1ol[at]calcite.rhyolite.com> <34d3cdc8.1051519284[at]news.pc-intouch.com> <6b0n4v$6l0[at]calcite.rhyolite.com> Organization: Tezcat.COM - Specialists in human interconnectivity. Newsgroups: news.admin.net-abuse.email Vernon Schryver <vjs[at]calcite.rhyolite.com> wrote: > My point had nothing to do with content filtering, althoug if you think > about it, the definition of "unsolicited" depends on content. If > "unsolicited" did not depend on content, it would be far easier to teach > computers to reject spam. I think that I have to disagree with this. "Unsolicited" has little or nothing to do with the content of the messge. Indeed, you can see that this is the case by comparing the _exact_ same message sent either by request or "unsolicited": the _content_ will be the same, but the "solicitedness" will be entirely different. In essence, the "solicitedness" of a message is a criterion that is fundamentally _external_ to the message itself. It refers to whether or not the recipient has requested (explicitly or implicitly) that the message be sent. To be sure, a determination of "solicitedness" may require reference to the content of a message (eg: if I solicit responses about POP3, a response in the form of MMF will not be "solicited"), but the "solicitedness" criterion remains external to the message itself. And _this_ -- the fact that solicitedness is external to the message itself -- is what makes it so difficult to teach computers to reject spam: there is nothing internal to any individual message (including its content) that indicates whether or not it is "solicited" or "unsolicited". Filtering can work on a certain level because the filtering is based on such external criteria. A filter, for example, could reject anything coming from cyberpromo.com, because the user of the filter knows that s/he did not request anything from cyberpromo. But it is not the content of the message that makes a difference, here, but the _external_ criterion: "I didn't request anything from cyberpromo" that is active. > a computer cannot detect "unsolicited" without > content analysis or at least a proxy for content such as "all mail with > mail_from containing 'cyberpromo.com' is unsolicited." And this isn't "a proxy for content"; rather, it is an external criterion applied to content. It takes the external criterion "I haven't solicited anything from cyberpromo" and applies it to the content of the message "from: cyberpromo" to make the determination that the message is unsolicited. But one cannot determine from the content _alone_ (absent the external criterion) that the message is "unsolicited". > One difference between the spam of professionals and of the chain letter > dorks is that the professionals are big enough targets to hit with a law. > As I wrote, the laws against USPS chain letter have not stopped chain > letters in the decades they have been enforced. Laws ensure that big > targets do not send chain letters because they are big targets, but laws > do a poor job against mom-and-pop chain letter and pyramid schemes. If > Patsy Welfare Mom spams an email chain letter, what are you going to do > with a law, ganishee $500 of her welfare checks? On the other hand, if > Jim Exon spams for campaign contributions, even now without a law and with > purely lawful and honorable means you can make him regret it. Is this any different than the simple fact that law will not _eliminate_ unlawful activity? Of course _some_ unlawful activity will always occur, due to the fact that the costs of an attempt at _total_ elimination outweigh any potential benefits. -- + gregory byshenk - gbyshenk[at]tezcat.com - gbyshenk[at]prairienet.org + == Help take a byte out of spam: <http://www.cauce.org> == => Now up: "Help! I've Been Spammed! - A guide for the beginner." URL: <http://www.tezcat.com/~gbyshenk/ive.been.spammed.html> Link to comment Share on other sites More sharing options...
Lking Posted November 26, 2005 Share Posted November 26, 2005 Now I see the problem, that page seems to have been torn from my dictionary. Link to comment Share on other sites More sharing options...
Miss Betsy Posted November 26, 2005 Share Posted November 26, 2005 Now I see the problem, that page seems to have been torn from my dictionary. 36628[/snapback] Maybe you should look in the jargon dictionary <g> Miss Betsy Link to comment Share on other sites More sharing options...
Farelf Posted November 26, 2005 Share Posted November 26, 2005 "Solicitedness" - why not? If you need an adjectival form, go for it ('specially since "degree of solicitation" seems to mean something scungy in familiar usage) Do you mean this one from http://eudorabb.qualcomm.com/member.php?userid=125?36625[/snapback] That's the one. Possibly save Wazoo the bother of typing out something similar so many times he wears the keycaps off the left-hand side of his keyboard. Link to comment Share on other sites More sharing options...
Wazoo Posted November 26, 2005 Share Posted November 26, 2005 Possibly save Wazoo the bother of typing out something similar so many times he wears the keycaps off the left-hand side of his keyboard. 36640[/snapback] Guess I need to turn that spy-cam off, huh? Looking at this keyboard, freshly re-inked this morning (strange coincidence?) ... on the 'alpha' side of this keyboard, the only keys not wearing new black ink are the Q, Z, X, and left Alt key ... and now that you bring it up, the E key does have a hole in it <g> Link to comment Share on other sites More sharing options...
dbiel Posted November 26, 2005 Share Posted November 26, 2005 I found Copenhagen's avatar very interesting. Click to view Link to comment Share on other sites More sharing options...
dra007 Posted November 26, 2005 Share Posted November 26, 2005 I think they are using their nose to type! Possibly carpel-tunnel syndrome on both hands! Link to comment Share on other sites More sharing options...
Farelf Posted November 27, 2005 Share Posted November 27, 2005 I found Copenhagen's avatar very interesting.36652[/snapback] Ho - thanks for uploading.I think they are using their nose to type! ... 36662[/snapback] There again, it could just be the "dead cat bounce". Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.