« The 419-Parcel Connection | Main | Tuesday Morning Malware Lures »

January 04, 2012

There is a spammer out there who squeaks past the U.S. CANSPAM law by the thinnest of margins, yet he practices a technique that should have been outlawed: He floods the body of the message with hidden text content intended to trick spam filters, often called hash-busting.

He's doing this to advertise all kinds of products and services, including some very well-known brand names, such as Pimsleur language training. It's impossible to know if the spammer is an actual affiliate, or is using another route to generate leads for Pimsleur. Links in the messages do not go to Pimsleur (or whatever company is being promoted), but rather to domains whose registrations were minted fairly recently and are privacy-protected. The opt-out links go to the same domains as the offer links.

The particular hash-busting technique that this guy has been using for quite awhile is to load the hidden text at or near the end of the visible HTML, buried within a <style> tag. If you're not into HTML, let it be known that a browser does not render the content of <style> tags because they're supposed to contain layout instructions, such as fonts, colors, margins, and so on.

To give you an idea of the magnitude of the hash-busting text, I studied the content of a recent Pimsleur spam message. The entire message (including headers) was 12,397 characters long; the hash-busting text represented 10,650 characters of that. Eighty-six percent of the message's bytes were dedicated to bypassing recipients' spam filters.

In that particular message, the hash-busting text was predominantly scraped from a macrumors.com forum web page from 2008. Here's a brief excerpt:

<style type="text/css"> Apple News

Front Page
Mac Blog
iOS Blog
Buyer's Guide
Forums

Register FAQ / Rules Community Forum Spy Today's Posts Search
Go Back MacRumors Forums > Apple Hardware > Notebooks > MacBook Pro
Reload this Page Advice Appreciated: MacBook Pro Logic Board Replace?

User Name Remember Me?
Password

Reply

Thread Tools Search this Thread Display Modes
Old Aug 12, 2008, 11:04 PM #1
intercept789
macrumors newbie

Join Date: Aug 2008

Advice Appreciated: MacBook Pro Logic Board Replace?
Hi everyone. I don't have Apple Care. I am out of warranty.

My computer recently, today, got a problem where the monitor no longer works, and an external monitor doesn't work. Thought it was maybe this can't get out of sleep problem, but it's not. A shut down and restart, battery removal, connect a another monitor does not do anything. It seems to work fine otherwise. Took it in and they said the entire logic board had to be replaced, and would be $1,300. owwww.

Is this reasonable? Anyone have a cheaper way to go about this? This is a 2.4 MacBook Pro. Another option, I would hate to do without my computer for a length of time, but $1,300 is money I really don't have now. I see in the Buyer's Guide another incarnation of the MacBook Pro is coming. Does that mean the price of my logic board would drop soon?

Thanks in advance!
intercept789 is offline 0 Reply With Quote
...
</style>

Another spammer out there has been pushing a skin care line using slightly different hash-busting overloading. His technique uses a combination of syntactically-correct style sheet rules (although referencing HTML elements that don't exist in the message), plus multiple series of slash-delimited dictionary words and wide-spaced single words all within the same <style> tag, like the following:

nnggttff/pfizer/collapses/tradition/scratched/reminiscent/salvaging/inexplicably/shannon/hr/shins/Subsidiaries/redefinition/se/possessed/undershirt/legislation/nelson/lie/round/canaan/enrolled/misfit/reimagined/DETECT/murmured/

returns

pilipinas

exporters

until

dvh

bars

duncans

radars

endangers

braverman

chameides

straw

job

pastured

pascal

xcsk

tam

cns

A typical message arrives with a total of 18,313 characters, 16,734 (91%) of which are dedicated to hash busting.

It's clear from the source code of these messages that the spammer knows the recipients likely don't want to receive these messages, and is working diligently to get past whatever defenses lie in his path. Unfortunately, this activity is protected by the CANSPAM law, as long as an opt-out link is provided. But I can tell you that the way the opt-out language is written, it's totally worthless when spammers use thousands of domains for their advertising campaigns. There is nothing preventing a spammer from taking an opt-out email address for one domain and handing it over to be used for any of his other domains. That's why I recommend never opting out of an unsolicited email message — it's merely confirming that the address is alive and ready to receive more crap from other domains from serial spammers.

If the brand-name companies are either hiring these "email marketing" firms directly or let such firms sign up to be affiliates, they must monitor the senders' activities. Any brand-named product I see being advertised with onerous (as in 80+%) hash busting content goes on my black list as a consumer. From this morning's email alone, the list added Pimsleur, match.com, and American Home Shield.