Focal Curve

The Spammier, The Better

This article from Wired exposes the amusing phenomenon of geeks comparing spam scores. SpamAssassin is one of the more popular spam filters which scans the content of emails and tallys a score based on the detected spamminess of each message. Major red flags such as the phrase “penis enlargement” or the word “offer” in a url earn high points and mail clients and servers can be configured to discard messages with especially high total spam scores. Given the tendency for geeks to relish accomplishments that don’t interest normal people at all, it was only natural that people would start comparing their spammiest spams.


Focal Curve’s mail server runs SpamAssassin but luckily my inbox is relatively spam-free (knock on wood.) And actually just a day or two before I came across this article I purged my junk mail folder. However, I do own a honeypot address, monty@facehugger.com. Go ahead and harvest it, spambots, see if I care. Facehugger.com is one of several domains offered for free webmail by Dark Horse comics. It’s especially good for spam sampling because it has very robust user-controlled filters, it’s easy to view the original source of messages including full headers, and they recently installed SpamAssassin.

Monty gets about 5 spams per day, most of which apparently come from the same two or three spammers since they always follow a similar pattern, not even considering the frequent multiple identical spams hawking the same site/product from different forged addresses and routed through different overseas relays. Most of those spams score in the 40s and 50s on SpamAssassin, and that’s subtracting the 100 points automatically assigned to spams from blacklisted senders.

A spam score higher than 20 is pretty remarkable, and most of the spam I get at my “real” email address scores only around 8-10. So why does Monty get so much spam in the 40-60 range? How stupid and clueless is this persistent and undaunted spammer? Clearly, very. Here is the source of the highest-scored spam currently in storage. It was sent to multiple recipients in the facehugger domain, indicating a likely dictionary attack, but in case some of those other addresses belong to real people I’ve deleted the usernames, no reason for them to get reharvested here.

  1. Return-Path: <7ikzo3r4@yeah.net>
  2. X-Real-To: monty@facehugger.com
  3. Received: by gator.darkhorse.com (CommuniGate Pro PIPE 4.1)
  4. with PIPE id 15267111; Sat, 02 Aug 2003 12:35:35 -0700
  5. Received: from [202.109.117.203] (HELO 209.95.33.142)
  6. by gator.darkhorse.com (CommuniGate Pro SMTP 4.1)
  7. with SMTP id 15267088; Sat, 02 Aug 2003 12:35:26 -0700
  8. Received: from is.clbxq.com [254.100.55.57] by 209.95.33.142
  9. with ESMTP id F8EB44DA3AA; Sun, 03 Aug 2003 08:33:35 -0300
  10. Message-ID: &lt;8khs3s7$-q78411$-$$j6s5$yz7l@1fr67d>
  11. From: "Jay Riley" &lt;7ikzo3r4@yeah.net>
  12. To: <___ @facehugger.com>, <monty @facehugger.com>,
  13. <___ @facehugger.com>, <___ @facehugger.com>, <___ @facehugger.com>,
  14. <___ @facehugger.com>, <___ @facehugger.com>, <___ @facehugger.com>
  15. Subject: **SPAM Score: 163.01** How to Make your Penis bigger and harder v onplpsbs pjbfcds
  16. Date: Sun, 03 Aug 03 08:33:35 GMT
  17. X-Mailer: The Bat! (v1.52f) Business
  18. MIME-Version: 1.0
  19. Content-Type: multipart/alternative;
  20. boundary="119.D__A47DB4__"
  21. X-Priority: 3
  22. X-MSMail-Priority: Normal
  23. X-Spam-Flag: YES
  24. X-Spam-Checker-Version: SpamAssassin 2.60-cvs (1.195-2003-06-30-exp) on
  25. gator.darkhorse.com
  26. X-Spam-Report: * 4.4 DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting
  27. * 0.7 RCVD_NUMERIC_HELO Received: contains a numeric HELO
  28. * 1.0 FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters
  29. * 4.3 IMPOTENCE BODY: Impotence cure
  30. * 2.0 AS_SEEN_ON BODY: As seen on national TV!
  31. * 4.3 PENIS_ENLARGE BODY: Information on getting larger penis/breasts
  32. * 3.3 PENIS_ENLARGE2 BODY: Information on getting larger penis/breasts
  33. * 0.1 EXCUSE_3 BODY: Claims you can be removed from the list
  34. * 0.0 REMOVE_FROM_LIST BODY: To be removed from list
  35. * 0.6 CLICK_BELOW_CAPS BODY: Asks you to click below (in capital letters)
  36. * 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
  37. * 0.3 LINES_OF_YELLING_2 BODY: 2 WHOLE LINES OF YELLING DETECTED
  38. * 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
  39. * 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
  40. * 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
  41. * 0.0 HTML_MESSAGE BODY: HTML included in message
  42. * 0.2 HTML_LINK_CLICK_CAPS BODY: HTML link text says "CLICK"
  43. * 0.1 HTML_FONT_BIG BODY: HTML has a big font
  44. * 0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED
  45. * 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here"
  46. * 0.4 HTML_TITLE_UNTITLED BODY: HTML title contains "Untitled"
  47. * 1.7 WEIRD_PORT URI: Uses non-standard port number for HTTP
  48. * 0.0 FORGED_RCVD_HELO Received: contains a forged HELO
  49. * 100 USER_IN_BLACKLIST From: address is in the user's black-list
  50. * 2.8 SORTED_RECIPS Recipient list is sorted by address
  51. * 4.3 RCVD_IN_OPM RBL: Received via a relay in opm.blitzed.org
  52. * [202.109.117.203 listed in opm.blitzed.org]
  53. * 0.5 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
  54. * [202.109.117.203 listed in dnsbl.njabl.org]
  55. * 1.6 RCVD_IN_RFCI RBL: Sent via a relay in ipwhois.rfc-ignorant.org
  56. * [Inaccurate or missing WHOIS data]
  57. * 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
  58. * [<http ://dsbl.org/listing?ip=202.109.117.203>]
  59. * 1.4 DNS_FROM_RFCI_DSN RBL: From: sender listed in dsn.rfc-ignorant.org
  60. * 1.1 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
  61. * [202.109.117.203 listed in dnsbl.sorbs.net]
  62. * 1.1 RCVD_IN_OSIRU_PROXY RBL: OSIRU: sender is open proxy server
  63. * [202.109.117.203 listed in relays.osirusoft.com]
  64. * 1.0 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
  65. * [202.109.117.203 listed in dnsbl.sorbs.net]
  66. * 4.3 RCVD_IN_OPM_HTTP RBL: OPM: sender is open HTTP CONNECT proxy
  67. * [202.109.117.203 listed in opm.blitzed.org]
  68. * 1.1 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
  69. * [202.109.117.203 listed in dnsbl.njabl.org]
  70. * 3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  71. * [Blocked - see <http ://spamcop.net/bl.shtml?202.109.117.203>]
  72. * 2.0 RCVD_IN_OSIRU RBL: OSIRU: Sent via relay in relays.osirusoft.com
  73. * [202.109.117.203 listed in relays.osirusoft.com]
  74. * 4.3 FORGED_MUA_THEBAT Mail pretending to be from The Bat! (mid)
  75. * 1.7 FORGED_THEBAT_HTML The Bat! can't send HTML message only
  76. * 1.4 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
  77. * 4.3 FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary)
  78. * 0.0 UPPERCASE_25_50 message body is 25-50% uppercase
  79. * 1.8 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
  80. * 0.1 MISSING_OUTLOOK_NAME Message looks like Outlook, but isn't
  81. X-Spam-Status: Yes, hits=163.0 required=7.5 tests=AS_SEEN_ON,CLICK_BELOW_CAPS,
  82. DATE_SPAMWARE_Y2K,DNS_FROM_RFCI_DSN,EXCUSE_3,FORGED_MUA_THEBAT,
  83. FORGED_MUA_THEBAT_BOUN,FORGED_RCVD_HELO,FORGED_THEBAT_HTML,
  84. FROM_HAS_MIXED_NUMS,HTML_50_60,HTML_FONTCOLOR_BLUE,HTML_FONTCOLOR_RED,
  85. HTML_FONT_BIG,HTML_LINK_CLICK_CAPS,HTML_LINK_CLICK_HERE,HTML_MESSAGE,
  86. HTML_TITLE_UNTITLED,IMPOTENCE,LINES_OF_YELLING,LINES_OF_YELLING_2,
  87. MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,
  88. PENIS_ENLARGE,PENIS_ENLARGE2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,
  89. RCVD_IN_NJABL,RCVD_IN_NJABL_PROXY,RCVD_IN_OPM,RCVD_IN_OPM_HTTP,
  90. RCVD_IN_OSIRU,RCVD_IN_OSIRU_PROXY,RCVD_IN_RFCI,RCVD_IN_SORBS,
  91. RCVD_IN_SORBS_HTTP,RCVD_NUMERIC_HELO,REMOVE_FROM_LIST,SORTED_RECIPS,
  92. UPPERCASE_25_50,USER_IN_BLACKLIST,WEIRD_PORT autolearn=no version=2.60-cvs
  93. X-Spam-Level: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  94. X-TFF-CGPSA-Filter: Scanned
  95. X-TFF-CGPSA-Version: 1.1b4 (gator.darkhorse.com)
  96.  
  97. This is a multi-part message in MIME format.
  98.  
  99. --119.D__A47DB4__
  100. Content-Type: text/html;
  101. Content-Transfer-Encoding: quoted-printable
  102.  
  103. < !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  104. <html>
  105. <head>
  106. <!-- TemplateBeginEditable name=3D"doctitle" -->
  107. <title>Untitled Document</title>
  108. <!-- TemplateEndEditable -->
  109. <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859=-1">
  110. <!-- TemplateBeginEditable name=3D"head" -->
  111. <!-- TemplateEndEditable -->
  112. </></></meta></></></head>
  113.  
  114. <body>
  115. <table width=3D"59%" height=3D"231" border=3D"1">
  116. <tr>
  117. <td bgcolor=3D"#66FFCC"><div align=3D"center">
  118. <p><font color=3D"#0000FF" size=3D"5"><strong>ENLARGE
  119. YOUR PENIS AND STOP PREMATURE EJACULATION</strong></font></p>
  120. <p>Take advantage of our free bottle offer, as seen on T.V.</p>
  121. <p>Natural Gains Plus is the worlds most effective Male Enlargemen=
  122. t Pill with over 100,000 customers worldwide. Our breakthrough pill is =
  123. Doctor recommended and professionally formulated.</p>
  124. <p><a href=3D"http://www.cost-stock.com:26000/enlarge2"><font colo=
  125. r=3D"#FF0000"><strong>CLICK HERE FOR
  126. MORE INFO</strong></font></a></p>
  127. <p><strong><font color=3D"#000000">INCREASE YOUR PENIS SIZE 2 TO 5=
  128. INCHES!</font></strong></p>
  129. <p><a href=3D"http://www.cost-stock.com:26000/enlarge2"><font colo=
  130. r=3D"#FF0000" size=3D"5"><strong>CLICK HERE FOR MORE INFO</strong></font></a></p>
  131. <p> </p>
  132. <p><a href=3D"http://www.cost-stock.com:26000/enlarge2/o.html">Cli=
  133. ck to be removed from our list</a>
  134. </p></div></td>>
  135. </tr></table>
  136. </body>e></html>

As a geek and a vehement spam-hater, I can certainly understand what the Wired article is talking about. There’s some odd appeal to spam scoring, some twisted sense of achievement from capturing such a remarkable specimen from the wild. And assigning a score immediately lends itself to competition. Breaking a message down into neatly labeled elements of spam and valuating them based on their spammy indicativeness just opens up a whole new view of how much evil planning goes into invading my privacy. Look how many RBLs this guy is listed in. Look how unabashed he is, shamelessly concocting such a spammy spam apparently with no serious effort to appear like legitimate email. Truly, the stupidity is something to be marveled at.

The above sample, though high scoring, certainly isn’t the most dastardly spam poor Monty has been suckerpunched with. Last week he captured a really nasty one with big sharp pointy teeth. While it only scored 23.42 points, it employed every dirty spammer trick in the book. A madeup name and forged From: address goes without saying. But deeper than that, the message itself was base64 encoded so viewing the source only shows a bunch of “PGh0bWw+PGhlYWQ+PHRpdGxlP” nonsense. Running the message body through the base64 decoder reveals that it was further encoded as “quoted printable,” breaking up the HTML with a bunch of annoying “3D=” tags in a further effort to obfuscate the real message and confuse automated filters.

Then digging into the HTML itself I saw that the entire message consisted of a single image sourced from a web server so the actual message content couldn’t be analyzed, and in the url of that image source was the name “monty@,” meaning that the spammer can see the access logs of the server hosting the image file and know which recipients opened his spams, thus validating the victim’s address as a target for more spam. The image was also a link to the spamvertised website and the link passed Monty’s email address as a parameter for target validation and order tracking.

And on top of all that, the bottom of the message had this small slice of seemingly normal text (quoted from Hitchhiker’s Guide to the Galaxy), an effort to fool Bayesian filters. “‘This must be Thursday,’ said Arthur to himself, sinking low over his beer, ‘I never could get the hang of Thursdays.'” That is probably the spammiest single spam I have ever received. All of that just to hawk some shady debt consolidation scheme I never asked for and have no interest in. I can only shake my head in awe and disbelief.

Comments are closed.