« Another Filter Evasion Trick | Main | Stupid Lottery Spammer »

February 08, 2005

Since a lot of spammers already break the laws of one country or another, it's not surprising to see them breaking the laws of HTML to launch a trick on unsuspecting users. Okay, HTML doesn't have "laws" per se, but the published international standards (officially, they're called "recommendations") are intended to encourage a level of consistency and reliability across the Web.

Well, we can dream.

Back to spammers, they've been using HTML in their messages ever since the audience had achieved a critical mass to make it worth the bother. As spam filtering improved, the filters got better at recognizing spammers' HTML tricks, such as embedding white (or near-white) text on a white background. Some spammers "progressed" to including only an image (whose contents bore all the spamvertising text) surrounded by a clickable link. But then the filters got suspicious of that combination. And on and on.

I've recently seen a couple of messages that ignore an HTML requirement for embedded images, and the effect is a potential hazard to recipients. The trick is to define an image element that has no image source address defined for it. With the help of just a little additional source code, this source-less image creates a transparent layer atop the entire message body. The "image" is made clickable, with the destination being the spamvertised Web site or, as indicated in some recent posts, someplace extremely dangerous.

The bottom line with this trick is that if you even accidentally click anywhere in the message body, you'll be off to...we're not talking Neverland here. The spammer is taking advantage of HTML rendering engines in email clients that try to do their best even with invalid HTML coding.

Unlike Webmasters who try to build legitimate traffic to their Web sites by creating valid pages, something tells me that the spammers don't care that the HTML Standards Police are out to get them.