cyshuster Posted October 9, 2006 Share Posted October 9, 2006 Today I started receiving unintelligible spams, with small gif attachments that don't display, and don't cause an error, either. What's going on? Here's sample text. Another one looked like it was ROT13. "NOT to use them). and experience of others, you want to learn the better at solving software You'll easily counter with your You're not Head First book, you know the latest research in of the best practices Something more fun. at speaking the language up a creek without design problems Java's built-in pattern when to use them, how "secret language" Facade, Proxy, and Factory Head First Design Patterns Java's built-in pattern who've faced the texts. If you've read a so you look to Design Singleton isn't as simple as it that you can hold your of the best practices advantage learned by those or on the real relationship You want to learn the up a creek without the next time you're You want to learn about real OO design principles learned by those so you look to Design to learn how those and experience of others, how patterns are when to use them, how the same software so you look to Design Facade, Proxy, and Factory (and impress cocktail party guests) your boss told you to learn how those" Link to comment Share on other sites More sharing options...
Farelf Posted October 9, 2006 Share Posted October 9, 2006 Today I started receiving unintelligible spams, with small gif attachments that don't display, and don't cause an error, either. What's going on?...Have you reported any of these? Can you post a tracking URL? Some here may be able to make something from the headers and the source code of the GIFs. To much guesswork without the complete "data" in standard form. [incidentally, that text is based on the amazon.co.uk review of the book Head First Design Patterns by Freeman, Freeman and Bates - lazy sods of spammers can't even write their own gibberish ] Link to comment Share on other sites More sharing options...
cyshuster Posted October 9, 2006 Author Share Posted October 9, 2006 [edit] Sorry to have violated a rule. I didn't want to disclose my email address. Here's the URL: http://www.spamcop.net/sc?id=z1097575756zb...d5280d9ec7131cz --Cy-- ---------------------------------------------------------------- Here's one, with my email address asterisked. Is there a better way to decode the gif? --Cy-- Moderator edit: Tracking URL was not provided. The entire spam was posted here, to include an embedded graphic. My lack of humor shows up again. Posted spam deleted. Please see http://forum.spamcop.net/scwik/TrackingURL if you actually need a definition of Tracking URL, noting that entries in the Dictionary and Glossary provided here pre-date the Wiki page ...... Link to comment Share on other sites More sharing options...
turetzsr Posted October 9, 2006 Share Posted October 9, 2006 <snip> Here's the URL: http://www.spamcop.net/mcgi?action=gettrac...rtid=1959189299 <snip> ...Thanks but that's not a tracking URL, either. Please see http://forum.spamcop.net/scwik/TrackingURL and Getting a Tracking URL from a Report ID. ...Thanks! <snip> Here's the URL: http://www.spamcop.net/sc?id=z1097575756zb...d5280d9ec7131cz <snip> ...Yep, that's it, thanks! ...Looks to me like one of the common hide-the-spam-in-unrelated-text designed to fool content filters. Link to comment Share on other sites More sharing options...
cyshuster Posted October 10, 2006 Author Share Posted October 10, 2006 I see -- so the spam content is supposed to be in the GIF attachment, and just doesn't show up for some reason? That makes sense -- thanks. I wondered if the GIF was actually some active content, like a worm or trojan. --Cy-- Link to comment Share on other sites More sharing options...
Farelf Posted October 10, 2006 Share Posted October 10, 2006 Thanks for the tracking URL cyshuster. Note your email address is munged (as long as you've selected that option). If there were any instances where that was not so, you would be quite entitled to manually munge (that is, as you paste the spam source text into the parser box). The parser has nominated Comcast as the source, usually a fair bet. The Comcast IP (host 68.81.49.130 = c-68-81-49-130.hsd1.pa.comcast.net ) is seeing a relatively high volume of activity http://www.senderbase.org/?searchBy=ipaddr...ng=68.81.49.130 and has made it into the abuseat block list, but not the SCBL at this time. In this instance the nominal source (assumed to be forged) actually does "add up" - the sender address matches the IP given americancommunity.com]http://www.dnsstuff.com/tools/mail.ch?doma...ancommunity.com = 208.4.85.34 but the parser finds no reason for Comcast to relay. You apparently use Comcast and if you had Comcast registered in your mailhosts the parse would presumably change its "mind". The small gif shows no appreciable data from TOASTEDspam. We are always ready to assume "spammer incompetence" but you should not attempt to view these things directly, "just in case". Use a decoder (like the TOASTEDspam one) from the source text (as in the tracking URL). The usual thought on these "no message" nuisance things is that it is a probe, just looking for valid addresses. Maybe so but why would the spammer omit any opportunity to actually spam in the process? I don't think you can even rely on them to be incompetent. I think if you (try to) open these things in your email you will find your spam load increases. Well, no Nostradamus needed there, (almost) everyone's spam load increases anyway - but never open the things as a principle is my advice, even if they seem too tiny to have a payload. Link to comment Share on other sites More sharing options...
cyshuster Posted October 10, 2006 Author Share Posted October 10, 2006 Thanks... --Cy-- Link to comment Share on other sites More sharing options...
rjchaney Posted October 10, 2006 Share Posted October 10, 2006 I am running into the same problem. I am getting a flood of these messages, and they all appear as commercial advertisement for stock purchases embedded in the gifs, along with separate Lorem Ipsum text which the word filters can not catch. I have been tracking them for the past two weeks. In many cases the same message being sent from different IP addresses originating in Europe and Asia (a few from within the US). http://www.spamcop.net/sc?id=z1098782149zf...c228920fdcb337z The problem is very frustrating! Link to comment Share on other sites More sharing options...
turetzsr Posted October 10, 2006 Share Posted October 10, 2006 <snip> http://www.spamcop.net/sc?id=z1098782149zf...c228920fdcb337z The problem is very frustrating! ...And what problem is it that is frustrating you? Link to comment Share on other sites More sharing options...
rjchaney Posted October 10, 2006 Share Posted October 10, 2006 I'm frustrated in that there appears to be absolutely nothing that I can do to stop it or filter it....the IP addresses are hopping all over the world. Link to comment Share on other sites More sharing options...
turetzsr Posted October 10, 2006 Share Posted October 10, 2006 I'm frustrated in that there appears to be absolutely nothing that I can do to stop it or filter it....the IP addresses are hopping all over the world....Ah, I see. I was confused by your comments, "I am running into the same problem" and "The problem is very frustrating!" Link to comment Share on other sites More sharing options...
dbsoundz Posted October 11, 2006 Share Posted October 11, 2006 We have big problems with these picture spams with nonsense text, too. In most cases I see today no chance to block them. As rjchaney the sender IP's are hopping all over the world and the classic block lists aren't working, the have no URL's in the code, much nonsense text... What are other doing to block such mails? We are using a Borderware MXtreme here, but currently I don't know how to catch these mails... Link to comment Share on other sites More sharing options...
turetzsr Posted October 11, 2006 Share Posted October 11, 2006 <snip> In most cases I see today no chance to block them. As rjchaney the sender IP's are hopping all over the world and the classic block lists aren't working, the have no URL's in the code, much nonsense text... What are other doing to block such mails? <snip> ...If you find a way, please let the world know. As far as I know, no one has ever been able to identify a better method for identifying spam than IP blacklists. ...What I would consider doing in your case is to either flag anything containing an image file and direct it to either a single location for your mail admin(s) to review before sending on to the end user mailbox or to a special inbox set up for each end user for them to review reject any e-mail with an image file attachment with a regretful message indicating that due to spammer abuse, you are not able to accept such messages any longer Link to comment Share on other sites More sharing options...
dbsoundz Posted October 11, 2006 Share Posted October 11, 2006 Yes... these two ways are principally possible... but both not implementable... whats about picture scanner? is someone using something like that? i think barracudas new spam machine is able to do that and extract contained text for analyzing... many image based spam mails have already not just text included but also ramdom graphical nonsense stuff to make the scanner unemployable. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.