Are these Spam?

[tudorbug]

A question, please.

I have been receiving mail that originates from domains that I have recorded as persistent sources of span. This spam consists of a portion of text such as:

"and was shut up like a family vault I was still painfully conscious of my youth

But now I mean to do it returned the stocky My first master will succeed me

at the bottoms of several small decanters I am of this opinion because while I was reading"

which is an exact copy of a recent one and attachment which is a *.gif file. In the example at hand the attachment was named "Ufief" followed by the .gif ending.

I have never dared open one of the attachments.

My spam load is eight to 15 to 20 emails a day. Half or more are of this type with the remainder consisting of the usual opportunities to purchase porn, replica watches, medical supplies and so forth. Each is processed using SpamCop and the domains are carefully added to my Norton Anti-spam file.

Is any one else experiencing these instances of spam consisting of meaningless text with a *.gif attachement or am I alone?

And, what is the purpose from the spammer's end of sending such email? It contains absolutely no hope of selling anything.

Thank you very kindly, David

[Wazoo]

Is any one else experiencing these instances of spam consisting of meaningless text with a *.gif attachement or am I alone?

And, what is the purpose from the spammer's end of sending such email?  It contains absolutely no hope of selling anything.

36600[/snapback]

This posting was found in the Forum section SpamCop Discussion > Discussions & Observations > How to use .... > SpamCop Forum ... yet, there is nothing seen of a "How to use the Forum" question, remark, or tutorial offered ... Post is therefore being moved to the Lounge area (based on that there wasn't even a Reporting issue being brought up.

[agsteele]

Is any one else experiencing these instances of spam consisting of meaningless text with a *.gif attachement or am I alone?

And, what is the purpose from the spammer's end of sending such email?  It contains absolutely no hope of selling anything.

36600[/snapback]

Can't say for sure but my expectation is that these attachments are worm/trojan type files. The true extension is probably being hidden by your mail program.

You are right to be suspicious.

Andrew

[Lking]

Sounds like standard spam to me David. The random text is an effort to get pasted spam filters. Of course it doesn't fool my Norton Anti-spam filter either. But there are others in the world not as well protected as you are.

You are correct to NOT open any of the attachments.

One of the current trends in spam is to put the text advertising viagra, porn, watches, etc. in a graphic file (*.gif) so that anti-spam programs like yours can't find 'key words' use to identify spam. When the unwary click on the graphic you are sent to their web page which may download malicious software onto your computer, in addition to trying to sell you something.

Keep vigilant and keep using SpamCop to report report the spam.

[Jeff G.]

When the unwary click on the graphic you are sent to their web page

36605[/snapback]

What is the exact mechanism for this? I thought "gif" was a "safe" extension to view. Thanks!

[tudorbug]

Folks:

I extend my sincere thanks for your thoughtful replies.

It had not occurred to me that the *.gif file might contain the connection to what the spammers would be trying to sell.

I am grateful. I will continue to address such email with the full capability offered by SpamCop.

Very kindly, David

[Lking]

 

What is the exact mechanism for this?  I thought "gif" was a "safe" extension to view. 

36608[/snapback]

 

<HTML>  
<BODY>  
<A href="http://www.spamaroma.webpage.gotya.de">  
     <IMG src="your_Message.gif">  
</BODY>  
</HTML>

The above code is in your email, so when you click on the anchor, the href is loaded into your browser along with any malware that the spammer chooses. Of course, there are several levels of protection one can take to prevent this scenario from working. There are still people that can't resist clicking on the cheap watch/cartoon etc. But than that's why it works and there is always more zombies.

Lou

[Jeff G.]

But it is safe to view the "gif" attachment without rendering the HTML, right? I do this sometimes, to confirm the content when the source of the headers and body are inconclusive re solicitedness. I can do this in OE6 because I "Read all messages in plain text".

[Farelf]

But it is safe to view the "gif" attachment without rendering the HTML, right? ...

36619[/snapback]

Any image can contain extra data. Not aware of any exploits using the trick but apparently it is possible - see http://www.jjtc.com/Steganography/

I'm curious - are many of those images you "see" malformed - unviewable? There was quite a furore in the Eudora forums some time ago, "they" noticed it because of a resource leakage problem freezing up their systems when Eudora tried to render the things - http://eudorabb.qualcomm.com/showthread.php?t=5251 On a sample of one of a similar type to that mentioned in the OP I found the attached .gif was unviewable. Probably just another example of spammer incompetence (Hanlon's Razor - "Do not attribute to malevolence what can be ascribed to simple incompetence."), but one can't be sure.

How pathetic - noticed one of the respondents in the Eudora forum "emailed the spammer's website, asking that the .gifs be fixed so he could receive his spam properly"!!! Also, note their Moderator's signature - something to emulate?

[Jeff G.]

note their Moderator's signature - something to emulate?

36623[/snapback]

Do you mean this one from http://eudorabb.qualcomm.com/member.php?userid=125?

Before posting a message, please take the time to SEARCH for threads where the same question has already been answered. You make it harder on everyone by starting an entirely new thread for a question that has already been addressed.

When posting ALWAYS include information about: 1. the version of Eudora you are using? 2. Paid, Light or Sponsored Mode? 3. the version of Windows you are using?

WHEN RELEVANT tells us: 4. Which Anti -Virus, -spam and -Spyware program(s), firewall you are using ?

[Lking]

  I do this sometimes, to confirm the content when the source of the headers and body are inconclusive re solicitedness.  I can do this in OE6 because I "Read all messages in plain text". 

36619[/snapback]

 

Well Jeff, between us girls, I wouldn't. Looking at your sig file, I wonder why a belts and suspenders guy like you (or me) would. <g>

In the earlier post I was referring to the displayed graphics, not the file (*.gif), but Farelf make a good point. Not to be overly paranoid I think at this time the risk is probably fairly small. And with proper (updated) protection ...

On a strictly personal note "solicitedness"? I'm having trouble finding that in my English to second language dictionary <g>.

[Jeff G.]

On a strictly personal note "solicitedness"? I'm having trouble finding that in my English to second language dictionary <g>.

36626[/snapback]

The initial definition (see below) of "solicitedness" was "whether or not the recipient has requested (explicitly or implicitly) that the message be sent." I would extend the recipient portion to include the recipient's heirs, successors, and assigns. I consider "solicitedness" to be a probability, ranging from 0% to 100%. For some accounts I monitor and/or own, I need to examine the content, because the intended recipient says "I only solicited certain types of emails from that entity". Ref: 23 hits at http://www.google.com/search?q=solicitedne...en&lr=&filter=0, 45 hits at http://groups.google.com/groups?q=solicite...r=0&sa=N&tab=wg, and especially the following first reference I found at http://groups.google.com/group/news.admin...._Zbqc9mhv-tzYzF (emphasis mine):

From: gbyshenk[at]tezcat.com (gregory byshenk)

Subject: Re: WHO IS RBL?

Date: 1998/02/01

Message-ID: <1998020118091010181104[at]gbyshenk.tezcat.com>#1/1

X-Deja-AN: 321200705

References: <6aa967$ae7[at]sjx-ixn1.ix.netcom.com> <6aafk2$5kh[at]dfw-ixnews3.ix.netcom.com> <slrn6chjo3.ais.postmaster[at]fdma.fdma.com> <6aalnl$jvf[at]sjx-ixn8.ix.netcom.com> <34cf6015.5921555[at]news.tds.net> <34d07b3e.2335756[at]client1.news.psi.net> <6aoodm$pl6[at]calcite.rhyolite.com> <34d58604.9079212[at]news.mindspring.com> <6aqkum$rsl[at]calcite.rhyolite.com> <34d1cbbe.2955404[at]news.mindspring.com> <6at8lc$1ol[at]calcite.rhyolite.com> <34d3cdc8.1051519284[at]news.pc-intouch.com> <6b0n4v$6l0[at]calcite.rhyolite.com>

Organization: Tezcat.COM  - Specialists in human interconnectivity.

Newsgroups: news.admin.net-abuse.email

Vernon Schryver <vjs[at]calcite.rhyolite.com> wrote:

> My point had nothing to do with content filtering, althoug if you think

> about it, the definition of "unsolicited" depends on content.  If

> "unsolicited" did not depend on content, it would be far easier to teach

> computers to reject spam. 

I think that I have to disagree with this.  "Unsolicited" has

little or nothing to do with the content of the messge.  Indeed,

you can see that this is the case by comparing the _exact_ same

message sent either by request or "unsolicited":  the _content_

will be the same, but the "solicitedness" will be entirely

different.

In essence, the "solicitedness" of a message is a criterion that

is fundamentally _external_ to the message itself.  It refers to

whether or not the recipient has requested (explicitly or

implicitly) that the message be sent.

To be sure, a determination of "solicitedness" may require

reference to the content of a message (eg:  if I solicit

responses about POP3, a response in the form of MMF will not

be "solicited"), but the "solicitedness" criterion remains

external to the message itself.

And _this_ -- the fact that solicitedness is external to the

message itself -- is what makes it so difficult to teach

computers to reject spam:  there is nothing internal to any

individual message (including its content) that indicates

whether or not it is "solicited" or "unsolicited".

Filtering can work on a certain level because the filtering

is based on such external criteria.  A filter, for example,

could reject anything coming from cyberpromo.com, because

the user of the filter knows that s/he did not request

anything from cyberpromo.  But it is not the content of

the message that makes a difference, here, but the _external_

criterion:  "I didn't request anything from cyberpromo" that

is active.

> a computer cannot detect "unsolicited" without

> content analysis or at least a proxy for content such as "all mail with

> mail_from containing 'cyberpromo.com' is unsolicited."

And this isn't "a proxy for content"; rather, it is an external

criterion applied to content.  It takes the external criterion

"I haven't solicited anything from cyberpromo" and applies it

to the content of the message "from: cyberpromo" to make the

determination that the message is unsolicited.  But one cannot

determine from the content _alone_ (absent the external criterion)

that the message is "unsolicited".

> One difference between the spam of professionals and of the chain letter

> dorks is that the professionals are big enough targets to hit with a law.

> As I wrote, the laws against USPS chain letter have not stopped chain

> letters in the decades they have been enforced.  Laws ensure that big

> targets do not send chain letters because they are big targets, but laws

> do a poor job against mom-and-pop chain letter and pyramid schemes.  If

> Patsy Welfare Mom spams an email chain letter, what are you going to do

> with a law, ganishee $500 of her welfare checks?  On the other hand, if

> Jim Exon spams for campaign contributions, even now without a law and with

> purely lawful and honorable means you can make him regret it.

Is this any different than the simple fact that law will not

_eliminate_ unlawful activity?  Of course _some_ unlawful

activity will always occur, due to the fact that the costs of

an attempt at _total_ elimination outweigh any potential

benefits.

--

+ gregory byshenk  -  gbyshenk[at]tezcat.com  -  gbyshenk[at]prairienet.org +

    == Help take a byte out of spam:  <http://www.cauce.org> ==

=> Now up:  "Help! I've Been Spammed! - A guide for the beginner."

    URL:  <http://www.tezcat.com/~gbyshenk/ive.been.spammed.html>

[Lking]

Now I see the problem, that page seems to have been torn from my dictionary.

[Miss Betsy]

Now I see the problem, that page seems to have been torn from my dictionary.

36628[/snapback]

Maybe you should look in the jargon dictionary <g>

Miss Betsy

[Farelf]

"Solicitedness" - why not? If you need an adjectival form, go for it ('specially since "degree of solicitation" seems to mean something scungy in familiar usage)

Do you mean this one from http://eudorabb.qualcomm.com/member.php?userid=125?

36625[/snapback]

That's the one. Possibly save Wazoo the bother of typing out something similar so many times he wears the keycaps off the left-hand side of his keyboard.

[Wazoo]

Possibly save Wazoo the bother of typing out something similar so many times he wears the keycaps off the left-hand side of his keyboard.

36640[/snapback]

Guess I need to turn that spy-cam off, huh? Looking at this keyboard, freshly re-inked this morning (strange coincidence?) ... on the 'alpha' side of this keyboard, the only keys not wearing new black ink are the Q, Z, X, and left Alt key ... and now that you bring it up, the E key does have a hole in it <g>

[dbiel]

I found Copenhagen's avatar very interesting.

Click to view

[dra007]

I think they are using their nose to type! Possibly carpel-tunnel syndrome on both hands!

[Farelf]

I found Copenhagen's avatar very interesting.

36652[/snapback]

Ho - thanks for uploading.

I think they are using their nose to type! ...

36662[/snapback]

There again, it could just be the "dead cat bounce".