cppgenius Posted July 10, 2008 Share Posted July 10, 2008 We all know spammers love to transgress the e-mail standards (or any standards for that matter). Lately i've seen several multipart/alternative spam e-mails without the text/html version. 1. Is it a way to bypass the spam filters, I really can't see how, because a proper spam filter should penalise an e-mail containing different plain-text and html versions. In this case it is not really a different html version it is completely missing. 2. Are they trying to break the parser of services like spamcop? Again I can't see how, the e-mail still has proper boundaries, it can only pose a problem to a parser that ignores the text version in a multipart e-mail. Any ideas what the spammers are trying to achieve, below is an example of such an e-mail? X-Apparently-To: x via 216.252.111.94; Tue, 01 Jul 2008 22:56:48 -0700 X-YahooFilteredBulk: 122.44.126.89 X-Originating-IP: [122.44.126.89] Authentication-Results: mta220.mail.re3.yahoo.com from=yahoo.com; domainkeys=neutral (no sig) Received: from 122.44.126.89 (HELO mta220.mail.re3.yahoo.com) (122.44.126.89) by mta220.mail.re3.yahoo.com with SMTP; Tue, 01 Jul 2008 22:56:47 -0700 Received: from 240.35.121.227 by; Wed, 02 Jul 2008 07:54:16 +0200 From: "Horace " <npcoaiycqmmc[at]yahoo.com> Reply-To: "Horace " <njwjdajtg[at]yahoo.com> To: x Subject: Same meds but much cheaper Date: Tue, 19 Jan 38 03:14:07 GMT X-Mailer: Microsoft Outlook Express 5.00.2919.6700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--5382928713776627084" X-Priority: 3 X-MSMail-Priority: Normal ----5382928713776627084 Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable Hello ! Now you have the opportunity to save your time and money! With US based online p/h/a/r/m/acy store you can buy any meds you need! Forget about prescriptions and doctors. Now you save your time. Forget about high prices at local stores. Save your money now! Go visit http://nomffioew.info seplg ----5382928713776627084-- Link to comment Share on other sites More sharing options...
Farelf Posted July 11, 2008 Share Posted July 11, 2008 ...Any ideas what the spammers are trying to achieve, below is an example of such an e-mail?...I would suppose they're simply trying to deliver as much readable throughput as possible. From the looks of the headers this is a "manufactured" message which was put together using one of the tools in a spamkit1, using a real message as something of a template, the text/HTML part being omitted because it is not necessary and only complicates the rapid variation of the message body. It certainly doesn't seem to attempt to fool the SC toolset specifically, which it appears would produce the correct results (which I don't propose to elaborate here, JIC). It is more important for them, these days, to fool the ISP/Provider's inwards filtering, hence the ability to rapidy (perhaps programmably) change the content would be more critical IIUC. 1I recently noticed a publicly-advertized, cut-price example with "175+ tools" including: 27) Advanced Spoofer 28) Advanced Anonymous E-mailer 29) Simple Anonymous E-mailer 30) Anonymous E-mailer with Attachment Support 31) Mass E-mailer 32) E-mail Bomber 33) E-mail Spoofer Link to comment Share on other sites More sharing options...
cppgenius Posted July 11, 2008 Author Share Posted July 11, 2008 It is more important for them, these days, to fool the ISP/Provider's inwards filtering I agree, and the rapid variation of the message body certainly makes sense, but a multipart/alternative without an html version is a clear giveaway that the e-mail is spam. The spammers are making it too easy to identify it as spam. There must be something else or this simply proves rule #3. Link to comment Share on other sites More sharing options...
Farelf Posted July 12, 2008 Share Posted July 12, 2008 ... a multipart/alternative without an html version is a clear giveaway that the e-mail is spam. The spammers are making it too easy to identify it as spam....Yes, we might "take corruption from that particular fault," as the bard would have it, but are there filters that actually check for that? The 'standards' are, as Hamlet had said, "More honour'd in the breach than the observance." Not that this is a good thing but so much 'proper' traffic is mangled in complex ways within the composition, transmission, relaying, receipt and rendering chain. I don't know, just wondering. Link to comment Share on other sites More sharing options...
Lking Posted August 5, 2010 Share Posted August 5, 2010 1. Is it a way to bypass the spam filters, I really can't see how, because a proper spam filter should penalise an e-mail containing different plain-text and html versions. Not sure this is a valid assertion. A simple example would be an unsubscribe link. Using a graphic in the html version and the words in the plain-text version. Would be a shame to reject a valid email because a top-down parsing of the html results in different order of paragraphs than is in the plain-text version. Of course this is not much of an issue. In most of the spam I bother to look at the plan-text part (if present) is gibberish unrelated in anyway to the html part. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.