The Spammier, The Better
This article from Wired exposes the amusing phenomenon of geeks comparing spam scores. SpamAssassin is one of the more popular spam filters which scans the content of emails and tallys a score based on the detected spamminess of each message. Major red flags such as the phrase “penis enlargement” or the word “offer” in a url earn high points and mail clients and servers can be configured to discard messages with especially high total spam scores. Given the tendency for geeks to relish accomplishments that don’t interest normal people at all, it was only natural that people would start comparing their spammiest spams.
Focal Curve’s mail server runs SpamAssassin but luckily my inbox is relatively spam-free (knock on wood.) And actually just a day or two before I came across this article I purged my junk mail folder. However, I do own a honeypot address, monty@facehugger.com. Go ahead and harvest it, spambots, see if I care. Facehugger.com is one of several domains offered for free webmail by Dark Horse comics. It’s especially good for spam sampling because it has very robust user-controlled filters, it’s easy to view the original source of messages including full headers, and they recently installed SpamAssassin.
Monty gets about 5 spams per day, most of which apparently come from the same two or three spammers since they always follow a similar pattern, not even considering the frequent multiple identical spams hawking the same site/product from different forged addresses and routed through different overseas relays. Most of those spams score in the 40s and 50s on SpamAssassin, and that’s subtracting the 100 points automatically assigned to spams from blacklisted senders.
A spam score higher than 20 is pretty remarkable, and most of the spam I get at my “real” email address scores only around 8-10. So why does Monty get so much spam in the 40-60 range? How stupid and clueless is this persistent and undaunted spammer? Clearly, very. Here is the source of the highest-scored spam currently in storage. It was sent to multiple recipients in the facehugger domain, indicating a likely dictionary attack, but in case some of those other addresses belong to real people I’ve deleted the usernames, no reason for them to get reharvested here.
Return-Path: <7ikzo3r4@yeah.net>X-Real-To: monty@facehugger.comReceived: by gator.darkhorse.com (CommuniGate Pro PIPE 4.1)with PIPE id 15267111; Sat, 02 Aug 2003 12:35:35 -0700Received: from [202.109.117.203] (HELO 209.95.33.142)by gator.darkhorse.com (CommuniGate Pro SMTP 4.1)with SMTP id 15267088; Sat, 02 Aug 2003 12:35:26 -0700Received: from is.clbxq.com [254.100.55.57] by 209.95.33.142with ESMTP id F8EB44DA3AA; Sun, 03 Aug 2003 08:33:35 -0300Message-ID: <8khs3s7$-q78411$-$$j6s5$yz7l@1fr67d>From: "Jay Riley" <7ikzo3r4@yeah.net>To: <___ @facehugger.com>, <monty @facehugger.com>,<___ @facehugger.com>, <___ @facehugger.com>, <___ @facehugger.com>,<___ @facehugger.com>, <___ @facehugger.com>, <___ @facehugger.com>Subject: **SPAM Score: 163.01** How to Make your Penis bigger and harder v onplpsbs pjbfcdsDate: Sun, 03 Aug 03 08:33:35 GMTX-Mailer: The Bat! (v1.52f) BusinessMIME-Version: 1.0Content-Type: multipart/alternative;boundary="119.D__A47DB4__"X-Priority: 3X-MSMail-Priority: NormalX-Spam-Flag: YESX-Spam-Checker-Version: SpamAssassin 2.60-cvs (1.195-2003-06-30-exp) ongator.darkhorse.comX-Spam-Report: * 4.4 DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting* 0.7 RCVD_NUMERIC_HELO Received: contains a numeric HELO* 1.0 FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters* 4.3 IMPOTENCE BODY: Impotence cure* 2.0 AS_SEEN_ON BODY: As seen on national TV!* 4.3 PENIS_ENLARGE BODY: Information on getting larger penis/breasts* 3.3 PENIS_ENLARGE2 BODY: Information on getting larger penis/breasts* 0.1 EXCUSE_3 BODY: Claims you can be removed from the list* 0.0 REMOVE_FROM_LIST BODY: To be removed from list* 0.6 CLICK_BELOW_CAPS BODY: Asks you to click below (in capital letters)* 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red* 0.3 LINES_OF_YELLING_2 BODY: 2 WHOLE LINES OF YELLING DETECTED* 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue* 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML* 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts* 0.0 HTML_MESSAGE BODY: HTML included in message* 0.2 HTML_LINK_CLICK_CAPS BODY: HTML link text says "CLICK"* 0.1 HTML_FONT_BIG BODY: HTML has a big font* 0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED* 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here"* 0.4 HTML_TITLE_UNTITLED BODY: HTML title contains "Untitled"* 1.7 WEIRD_PORT URI: Uses non-standard port number for HTTP* 0.0 FORGED_RCVD_HELO Received: contains a forged HELO* 100 USER_IN_BLACKLIST From: address is in the user's black-list* 2.8 SORTED_RECIPS Recipient list is sorted by address* 4.3 RCVD_IN_OPM RBL: Received via a relay in opm.blitzed.org* [202.109.117.203 listed in opm.blitzed.org]* 0.5 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org* [202.109.117.203 listed in dnsbl.njabl.org]* 1.6 RCVD_IN_RFCI RBL: Sent via a relay in ipwhois.rfc-ignorant.org* [Inaccurate or missing WHOIS data]* 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org* [<http ://dsbl.org/listing?ip=202.109.117.203>]* 1.4 DNS_FROM_RFCI_DSN RBL: From: sender listed in dsn.rfc-ignorant.org* 1.1 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server* [202.109.117.203 listed in dnsbl.sorbs.net]* 1.1 RCVD_IN_OSIRU_PROXY RBL: OSIRU: sender is open proxy server* [202.109.117.203 listed in relays.osirusoft.com]* 1.0 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS* [202.109.117.203 listed in dnsbl.sorbs.net]* 4.3 RCVD_IN_OPM_HTTP RBL: OPM: sender is open HTTP CONNECT proxy* [202.109.117.203 listed in opm.blitzed.org]* 1.1 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy* [202.109.117.203 listed in dnsbl.njabl.org]* 3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net* [Blocked - see <http ://spamcop.net/bl.shtml?202.109.117.203>]* 2.0 RCVD_IN_OSIRU RBL: OSIRU: Sent via relay in relays.osirusoft.com* [202.109.117.203 listed in relays.osirusoft.com]* 4.3 FORGED_MUA_THEBAT Mail pretending to be from The Bat! (mid)* 1.7 FORGED_THEBAT_HTML The Bat! can't send HTML message only* 1.4 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE* 4.3 FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary)* 0.0 UPPERCASE_25_50 message body is 25-50% uppercase* 1.8 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts* 0.1 MISSING_OUTLOOK_NAME Message looks like Outlook, but isn'tX-Spam-Status: Yes, hits=163.0 required=7.5 tests=AS_SEEN_ON,CLICK_BELOW_CAPS,DATE_SPAMWARE_Y2K,DNS_FROM_RFCI_DSN,EXCUSE_3,FORGED_MUA_THEBAT,FORGED_MUA_THEBAT_BOUN,FORGED_RCVD_HELO,FORGED_THEBAT_HTML,FROM_HAS_MIXED_NUMS,HTML_50_60,HTML_FONTCOLOR_BLUE,HTML_FONTCOLOR_RED,HTML_FONT_BIG,HTML_LINK_CLICK_CAPS,HTML_LINK_CLICK_HERE,HTML_MESSAGE,HTML_TITLE_UNTITLED,IMPOTENCE,LINES_OF_YELLING,LINES_OF_YELLING_2,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,PENIS_ENLARGE,PENIS_ENLARGE2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL,RCVD_IN_NJABL_PROXY,RCVD_IN_OPM,RCVD_IN_OPM_HTTP,RCVD_IN_OSIRU,RCVD_IN_OSIRU_PROXY,RCVD_IN_RFCI,RCVD_IN_SORBS,RCVD_IN_SORBS_HTTP,RCVD_NUMERIC_HELO,REMOVE_FROM_LIST,SORTED_RECIPS,UPPERCASE_25_50,USER_IN_BLACKLIST,WEIRD_PORT autolearn=no version=2.60-cvsX-Spam-Level: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxX-TFF-CGPSA-Filter: ScannedX-TFF-CGPSA-Version: 1.1b4 (gator.darkhorse.com)This is a multi-part message in MIME format.--119.D__A47DB4__Content-Type: text/html;Content-Transfer-Encoding: quoted-printable< !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><!-- TemplateBeginEditable name=3D"doctitle" --><title>Untitled Document</title><!-- TemplateEndEditable --><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859=-1"><!-- TemplateBeginEditable name=3D"head" --><!-- TemplateEndEditable --></></></meta></></></head><body><table width=3D"59%" height=3D"231" border=3D"1"><tr><td bgcolor=3D"#66FFCC"><div align=3D"center"><p><font color=3D"#0000FF" size=3D"5"><strong>ENLARGEYOUR PENIS AND STOP PREMATURE EJACULATION</strong></font></p><p>Take advantage of our free bottle offer, as seen on T.V.</p><p>Natural Gains Plus is the worlds most effective Male Enlargemen=t Pill with over 100,000 customers worldwide. Our breakthrough pill is =Doctor recommended and professionally formulated.</p><p><a href=3D"http://www.cost-stock.com:26000/enlarge2"><font colo=r=3D"#FF0000"><strong>CLICK HERE FORMORE INFO</strong></font></a></p><p><strong><font color=3D"#000000">INCREASE YOUR PENIS SIZE 2 TO 5=INCHES!</font></strong></p><p><a href=3D"http://www.cost-stock.com:26000/enlarge2"><font colo=r=3D"#FF0000" size=3D"5"><strong>CLICK HERE FOR MORE INFO</strong></font></a></p><p> </p><p><a href=3D"http://www.cost-stock.com:26000/enlarge2/o.html">Cli=ck to be removed from our list</a></p></div></td>></tr></table></body>e></html>
As a geek and a vehement spam-hater, I can certainly understand what the Wired article is talking about. There’s some odd appeal to spam scoring, some twisted sense of achievement from capturing such a remarkable specimen from the wild. And assigning a score immediately lends itself to competition. Breaking a message down into neatly labeled elements of spam and valuating them based on their spammy indicativeness just opens up a whole new view of how much evil planning goes into invading my privacy. Look how many RBLs this guy is listed in. Look how unabashed he is, shamelessly concocting such a spammy spam apparently with no serious effort to appear like legitimate email. Truly, the stupidity is something to be marveled at.
The above sample, though high scoring, certainly isn’t the most dastardly spam poor Monty has been suckerpunched with. Last week he captured a really nasty one with big sharp pointy teeth. While it only scored 23.42 points, it employed every dirty spammer trick in the book. A madeup name and forged From: address goes without saying. But deeper than that, the message itself was base64 encoded so viewing the source only shows a bunch of “PGh0bWw+PGhlYWQ+PHRpdGxlP” nonsense. Running the message body through the base64 decoder reveals that it was further encoded as “quoted printable,” breaking up the HTML with a bunch of annoying “3D=” tags in a further effort to obfuscate the real message and confuse automated filters.
Then digging into the HTML itself I saw that the entire message consisted of a single image sourced from a web server so the actual message content couldn’t be analyzed, and in the url of that image source was the name “monty@,” meaning that the spammer can see the access logs of the server hosting the image file and know which recipients opened his spams, thus validating the victim’s address as a target for more spam. The image was also a link to the spamvertised website and the link passed Monty’s email address as a parameter for target validation and order tracking.
And on top of all that, the bottom of the message had this small slice of seemingly normal text (quoted from Hitchhiker’s Guide to the Galaxy), an effort to fool Bayesian filters. “‘This must be Thursday,’ said Arthur to himself, sinking low over his beer, ‘I never could get the hang of Thursdays.'” That is probably the spammiest single spam I have ever received. All of that just to hawk some shady debt consolidation scheme I never asked for and have no interest in. I can only shake my head in awe and disbelief.