Jump to content

Multipart/Alternative without a text/html version


cppgenius

Recommended Posts

We all know spammers love to transgress the e-mail standards (or any standards for that matter). Lately i've seen several multipart/alternative spam e-mails without the text/html version.

1. Is it a way to bypass the spam filters, I really can't see how, because a proper spam filter should penalise an e-mail containing different plain-text and html versions. In this case it is not really a different html version it is completely missing.

2. Are they trying to break the parser of services like spamcop? Again I can't see how, the e-mail still has proper boundaries, it can only pose a problem to a parser that ignores the text version in a multipart e-mail.

Any ideas what the spammers are trying to achieve, below is an example of such an e-mail?

X-Apparently-To: x via 216.252.111.94; Tue, 01 Jul 2008 22:56:48 -0700
X-YahooFilteredBulk: 122.44.126.89
X-Originating-IP: [122.44.126.89]
Authentication-Results: mta220.mail.re3.yahoo.com  from=yahoo.com; domainkeys=neutral (no sig)
Received: from 122.44.126.89  (HELO mta220.mail.re3.yahoo.com) (122.44.126.89)
  by mta220.mail.re3.yahoo.com with SMTP; Tue, 01 Jul 2008 22:56:47 -0700
Received: from 240.35.121.227 by; Wed, 02 Jul 2008 07:54:16 +0200
From: "Horace " <npcoaiycqmmc[at]yahoo.com>
Reply-To: "Horace " <njwjdajtg[at]yahoo.com>
To: x
Subject: Same meds but much cheaper
Date: Tue, 19 Jan 38 03:14:07 GMT
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="--5382928713776627084"
X-Priority: 3
X-MSMail-Priority: Normal

----5382928713776627084
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Hello !

Now you have the opportunity to save your time and money!

With US based online p/h/a/r/m/acy store you can buy any meds you need!

Forget about prescriptions and doctors. Now you save your time. 

Forget about high prices at local stores. Save your money now! 




Go visit	http://nomffioew.info  



seplg

----5382928713776627084--

Link to comment
Share on other sites

...Any ideas what the spammers are trying to achieve, below is an example of such an e-mail?...
I would suppose they're simply trying to deliver as much readable throughput as possible. From the looks of the headers this is a "manufactured" message which was put together using one of the tools in a spamkit1, using a real message as something of a template, the text/HTML part being omitted because it is not necessary and only complicates the rapid variation of the message body.

It certainly doesn't seem to attempt to fool the SC toolset specifically, which it appears would produce the correct results (which I don't propose to elaborate here, JIC). It is more important for them, these days, to fool the ISP/Provider's inwards filtering, hence the ability to rapidy (perhaps programmably) change the content would be more critical IIUC.

1I recently noticed a publicly-advertized, cut-price example with "175+ tools" including:

27) Advanced Spoofer

28) Advanced Anonymous E-mailer

29) Simple Anonymous E-mailer

30) Anonymous E-mailer with Attachment Support

31) Mass E-mailer

32) E-mail Bomber

33) E-mail Spoofer

Link to comment
Share on other sites

It is more important for them, these days, to fool the ISP/Provider's inwards filtering

I agree, and the rapid variation of the message body certainly makes sense, but a multipart/alternative without an html version is a clear giveaway that the e-mail is spam. The spammers are making it too easy to identify it as spam.

There must be something else or this simply proves rule #3. :D

Link to comment
Share on other sites

... a multipart/alternative without an html version is a clear giveaway that the e-mail is spam. The spammers are making it too easy to identify it as spam....
Yes, we might "take corruption from that particular fault," as the bard would have it, but are there filters that actually check for that? The 'standards' are, as Hamlet had said, "More honour'd in the breach than the observance." Not that this is a good thing but so much 'proper' traffic is mangled in complex ways within the composition, transmission, relaying, receipt and rendering chain. I don't know, just wondering.
Link to comment
Share on other sites

  • 2 years later...
1. Is it a way to bypass the spam filters, I really can't see how, because a proper spam filter should penalise an e-mail containing different plain-text and html versions.

Not sure this is a valid assertion. A simple example would be an unsubscribe link. Using a graphic in the html version unsubscribe.gif and the words in the plain-text version.

Would be a shame to reject a valid email because a top-down parsing of the html results in different order of paragraphs than is in the plain-text version. Of course this is not much of an issue. In most of the spam I bother to look at the plan-text part (if present) is gibberish unrelated in anyway to the html part.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...