August 20, 2011Back to Spam
It seems the, um, bulk of my postings lately have been about malware delivery. But regular ol' spamming is still going on. I saw a mortgage lead spam today — pretty rare these days, compared to the go-go days before the mortgage and housing markets collapsed. You'd think by now even newbie spammers would have half a brain, but this guy didn't. He revealed 400 email addresses in the To: field, rather than use BCC. Doof.
Another spammer has started to get under my skin. His subject matter changes regularly, but his underlying technique doesn't. In one example I saw today, the come-on was an offer for two free tickets on Southwest Airlines (a brand name that has been abused by scammers for years). The domain used in this example was minted this month, and the whois data is hidden behind a privacy service.
This effort is mounted by an email marketing service rather than a crumb-bum wannabe spammer. The sending email server is part of a server farm within an IP block. I deduce this by noting that the server's verfied subdomain is named suho153, and the IP address for that server ends in 153. This is not a coincidence, but a practice I've seen for years.
Another clue about the "professionalism" of the marketer is that the messages attempt to be CANSPAM compliant, complete with an unsubscribe link and a mailing address. As you might expect, the mailing address is to a UPS Store in Scottsdale, Arizona:
3370 N Hayden Rd
Scottsdale, AZ 85251
The UPS Store's suite number in the shopping center is 123. That must mean that our spammer's box number (if it's really owned by the spammer) is #409 at that UPS Store. Noticeably absent from the unsubscribe information is a company name for the sender. He's careful to avoid deceit in the message header by assigning the generic name "Airline Ticket Specials" as the plain language address (which shows up in your From email column), rather than referring to Southwest Airlines directly. That might keep the Southwest lawyers from embarking on a spammer hunting mission.
Two things really piss me off about his spam messages, however.
First, every link on the page includes a long hexadecimal identifier in the URL. The number is likely tied to the recipient's email address in the sender's database. A click on any of those links will verify that the address is good and actively used. Even if you're just curious about the two free airline tickets, your click will destroy your email address for good. If you attempt to navigate manually to just the domain, all you get is an empty page.
Second, although the visible email content is short and to the point, it is dwarfed by a huge amount of hash-busting content copied en masse from Amazon review pages for various types of products. How dwarfed? The entire message (including headers) contains 64,708 characters; the hash-busting text consists of 62,648 characters. To prevent the hash-busting text from being rendered, it is encased in a phony <style> stylesheet tag at the end of the message. There is not one lick of CSS code inside the tag.
Now, the only reason a sender would include hash-busting techniques in message content is to get past spam filters; and the main reason such messages would normally be filtered is because the recipients consider such messages to be unwanted. I'd wager a burger and a beer that the sender of these messages promotes his own email marketing services as directing messages to genuinely opt-in recipients.
Bullshit.Posted on August 20, 2011 at 05:15 PM