|< Day Day Up >|| |
“Jake Calderon?” you say as you read the e-mail address, “I wonder who he is. That name doesn’t ring any bells. I wonder what he wants.” The message subject “et y0ur fast and easy t0day!. Thrush” does not fill you with confidence, but still you open the message:
GET YOUR UNIVERSITY DIPLOMA Do you want a prosperous future, increased earning power more money and the respect of all? Call this number: 1-917-591-xxxx (24 hours) There are no required tests, classes, books, or interviews! Get a Bachelors, Masters, MBA, and Doctorate (PhD) diploma! Receive the benefits and admiration that comes with a diploma! No one is turned down! Call Today 1-917-591-xxxx (7 days a week) Confidentiality assured!
You quickly realize that it’s more spam and decide to write and tell him to remove you from his list. You also decide to warn him that you will take legal action against him in lieu of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) act.
Dear Mr Calderon, Would you please remove me from any mailing list or subscription that I am on, as I do not wish to get a diploma, I have one already. If you do not do so, I will press legal action against you for breaking the law.
You believe that the message will work and that the spam, which is being sent illegally, will stop. Maybe this hasn’t happened to you but to someone you know.
This actually happened to someone I work with. This person replied to every spam letter they received and informed the spammer that they should stop sending him spam or he would press legal action against the spammer and any company involved in this “blatant abuse of e-mail.”
He became increasingly more agitated. Every day he would write additional messages to the spammers, and every day he would become more upset that his requests went unheeded. Because most spam doesn’t have a legitimate reply address, his e-mails probably never even reached the spammers, but he was sure that his e-mails would work.
He also believed that the opt-out links and unsubscribe buttons often found in spam e-mails were viable, and he would submit his e-mail address into every site that offered a way out. By him opting out of e-mail lists, he received a lot of spam; every morning it ranged from 50 to 100 messages. At one point, he refused to use his e-mail account and requested I change his e-mail username to something else. Through all of this, there was a very efficient spam filter running.
On my personal account, I receive at least 15 spam e-mails a day after my spam filter catches and drops over 100. I have seen all the tricks and I understand how the messages are sent, what methods were used, and what e-mail program was used to send it.
This chapter explores the body of spam messages, the different items commonly found on a page, tricks used to collect secret information about you, and the ability to leave, or opt-out of a spam list.
The funny thing about spam is that it never promotes highly essential products. Have you ever noticed that you are never spammed with an offer to buy “something you have always wanted?” It’s typically for a product such as cheap software, drugs, herbal medications, or pornography. You don’t wake up in the morning with an unrelenting desire to buy Viagra or cheap long-distance calling, do you? So why do you receive the e-mail? But perhaps the stranger question is, why do so many people continue to buy products from spam? Nevertheless, no matter what the product is, it always does sell. There are people who continuously spend their money on seemingly frivolous products and services such as diet patches. Knowing this is the reason, spammers continue to send spam.
There is a direct link between the design of spam e-mail and its success. If you can find the right picture or slogan that sells your product, you stand to make a very large profit. Knowing how to make the reader want to buy an otherwise useless product is truly an art that only a few spammers have mastered.
Personal guilt and insecurities are often used to sell products via spam, especially when selling male sexual enhancement products.
“A recent survey showed that 71 percent of women are unsatisfied with their sexual partners. Of course, most of these women would never tell their partner that they are unhappy.”
This phrase plays off of common male insecurities, attempting to make the reader feel anxious that their partners are among this 71 percent. They will buy the product, often without asking any questions about the dubious company selling it.
A recipient’s insecurity is used as a weapon against them. This tactic can produce good results, especially with products such as sexual enhancers where the reader’s own embarrassment inhibits their sense of reason, and for those people looking to lose weight with diet pills, eager to purchase a seemingly quick and discreet solution.
Successful spam comes down to one thing: grabbing the reader’s attention and keeping it. When someone opens an e-mail there is a one-to two-second window in which they read it and decide if they are going to delete it or possibly follow any links within it.
Quick impacting facts, intelligent text, and a clearly defined product are required to entice users to buy whatever is being sold. I often see spam that is poorly written with boring black and white text and no pictures or colors, which fails to give me the slightest interest in buying whatever they are selling. There is also the matter of German and Russian spam, which is useless to recipients unable to understand the language. A spammer’s chances of selling something are zero if the recipient cannot read the message.
It’s not hard to write a good spam message as long as you follow a few simple rules. By utilizing pictures and catchy slogans, you can draw the reader’s interest to your product. Comparable to TV advertising, a successful e-mail sales pitch can result in huge profits. It’s all about knowing how to sell a product that no one needs by making them believe that they do need it and can’t live without it.
As can be seen in Figure 5.1, the attractive brunette on the beach, the clear blue sky, the long rolling waves, the empty deck chair, and the ice bucket full of beer are meant to entice people to buy the product and consequently be entered into a competition to win a summer vacation.
Figure 5.1: Yes, Yes, I Wish I Was There
This picture loads quickly, uses bright vibrant colors, and grabs you instantly.
Figure 5.1 is an actual message that bypassed my spam filter, probably because the text was located inside the image, making it impossible for my filters to detect what the body of the message was. This is a common technique used to get around spam filters. The only down side is that you need a host to place the images on—a host willing to serve millions of copies of the image without any delay. (Spam filter evasion is covered in more detail later in this book.)
Another interesting fact is the “Subject” message. “RE: Summer Vacation” helps fool recipients into thinking the e-mail is from a previous communication. Spam filters take into account the subject when judging if a message is spam or not.
Figure 5.2 is not a good example of spam. This spammer is trying to sell medications, but is not doing a very good job. Unlike the last spam example, this spammer has no Web server to host pictures on. In an attempt to avoid using obvious spam words such as Valium or Xannax, this spammer has used a slightly more creative approach by changing each known spam word by adding random characters. For example, Valium has now become V@1ium.
Figure 5.2: Hmm, What Sorry? An Example of Poorly Constructed Spam
This spam also bypassed my spam filter, as Xannax is a known spam word but “X@n`ax” is not. The creative spelling of the text has degraded the readability of the e-mail and now I need to mentally decipher it as I read it. Even the usual “If you would like to unsubscribe” message has been replaced with “G-ive u.p,” and at the foot of the e-mail there are a few lines of random text designed to throw off spam filters even more. This makes the message feel very impersonal and also fails to catch my attention.
Spam is often detected when several mail servers report to a real-time black hole list (RBL) that they are receiving many similar messages. For every message sent to a mail server, a checksum is taken and submitted on delivery to an RBL. If this RBL detects a thousand copies of the same checksum, that message and corresponding checksum are marked as spam. All further verification attempts for this checksum will result in a spam message being returned.
Spammers bypass this method by adding lines of random text and changing the message size, thereby making each message seem unique to the RBL. The amounts of random data vary from a few lines to vast amounts. I have seem spammers use pages and pages of random data, usually appended after the closing </HTML> tag so as to hide its content from the recipient.
Although this message got through my spam filter, I would not recommend this format of message because it fails to have any impact on the reader—it looks childish and immature. I doubt this spammer would have overwhelming success with this campaign.
The format that spam is sent in is very important for its success. The three main options that clients support are plaintext, rich text, and Hypertext Markup Language (HTML) encoding. Each has advantages and disadvantages, but in the end it comes down to the client’s ability to parse and understand different e-mail formats. If using Hotmail or Outlook, Mozilla mail or Hushmail, they need to be sure that they read the e-mail into the correct format and that it is fully supported by the client. There is no point in sending spam that can’t be read.
You can’t get much simpler than plaintext. It offers a concise method of sending spam in straight American Standard Code for Information Interchange (ASCII) format and does not offer any fancy or smart features like that of HTML. However, plaintext redeems itself by guaranteeing to be readable to any e-mail client, no matter if the client is running on a UNIX mainframe, a hotmail account, or a personal Outlook account. The client will always be able to read the spam the way the spammer wants it to be seen.
Spam is often sent using plaintext because it is harder for a spam filter to identify. Because of the barebones attitude of plaintext encoding, there are no options to be abused and no tricks to be used and the entire message is plaintext—what you see is what you get. With this barebones approach comes the fact that the message often seems dull to the reader, therefore having little impact on them and usually producing a lower return rate.
|Notes from the Underground…|| |
HTML and Plaintext
I once tried spamming a campaign for a fetish pornography site.
First, I sent out 500,000 e-mails in plaintext format. I tried to make the e-mail as alluring as possible. Five hundred thousand e-mails resulted in only three signups. I was utterly disappointed since I had expected many more. I told a fellow spammer about my lack of results. He laughed at me for using plaintext encoding, and said that I should use HTML and include a link to a picture and some flashing text. He guaranteed at least another 20 signups if I used HTML; however, it depended on the quality of my mailing list. I rewrote the message in HTML, using the exact same text as the plaintext version and adding a picture.
I was highly skeptical about the success of this e-mail campaign, since I had previously spammed these addresses and only three people responded. Perhaps my lack of success had nothing to do with the encoding of the message, or maybe these people were just sick of spam. With nothing to loose, I sent the same 500,000 people more spam, this time in HTML. Within 24 hours, I received 14 full signups. Although not the 20 I had expected, 14 was a much better result.
This shows how well good advertising works. The catchy commercials on TV make you want to buy the product; if you saw a plain and boring commercial you probably would not rush out to buy it. Although plaintext formatting is easier and quicker than HTML, it lacks in results. Reader’s need to see colors, pictures, and flashing buttons, otherwise the message is simply deleted.
Many e-mail clients (including Outlook) will parse plaintext e-mail as HTML content no matter what the original format is.
Looking back at Figure 5.2 you can see that the message arrived and was detected as plaintext. However, if you look at the body of the message you will see that Outlook changed some of the typed Web site locations into blue hyperlinks. This enables the user to click on the link instead of having to type it into a Web browser. Outlook is trying to be smart here, but consequently has helped spammers greatly by allowing the links to be clickable by the user, therefore giving no reason to bother using HTML formatting.
Rich text is a Microsoft invention, which is only used purely in Microsoft-based networks. Both Outlook and Exchange support rich text encoding, but many other e-mail clients do not. If rich text is not supported by the client the formatting will default back to plaintext and remove any formatting. Rich text offers some formatting features, but generally offers nothing more than what HTML encoding offers.
Since more people support HTML-encoded messages than rich text, this encoding style is rarely used. In fact, I don’t have a single message in my inbox that is encoded using rich text; all messages are either HTML or plaintext encoded.
HTML offers a richer, more flexible alternative to plaintext and rich text formats. The messages can include both font and color markup tags, and even a form the user can use to submit data, making the e-mail brighter and more attractive.
The downside is that if you use any part of HTML incorrectly, spam filters will become very suspicious of your message, possibly marking it as spam (see Figure 5.3).
Figure 5.3: More Pills
The message looks normal enough: easy, cheap medication, 100 percent generic brands. However, if you look at the scroll bars on the page, you will see that the message is actually much longer than what you expect.
There are ten additional pages to this message, mostly composed of random text, words, numbers, and dates. These have been placed there to confuse spam filters into thinking the message is a legitimate correspondence. Outlook did not show these extra pages when the message was loaded because the data was entered after the closing </HTML> tag. When Outlook loads an e-mail message, the size of the viewer window will grow to fit as much body as possible until the closing </HTML> tag. Outlook found the closing tag and resized the window to accommodate only that, which is why the window is not bigger.
By adding seemingly normal data to the HTML page, the message is recognized as having a legitimate body, and any friendly or loose spam filters will probably mark this message as legitimate e-mail. However, if the spam filter is more harsh on spam, it will probably mark this message as spam and drop it. It does not make sense to send an HTML-encoded message with the body of the message written outside the HTML tags.
If you look closer at this example, you can see why spam filters have a hard time trying to decide if an HTML e-mail is spam or not. The following text is from Figure 5.3. You can see that in the middle of every word there is a 1-pixel character. This character is not visible to the naked eye, but it makes the words seem completely different to the spam filter, avoiding the use of any known spam words such as Cialis or Valium. This message uses Cia-lis and Val-ium.
<b>Cia<font style="FONT-SIZE: 1px">-</font> lis - Val<font style="FONT-SIZE: 1px">-</font> ium - Xa<fontstyle="FONT-SIZE: 1px">}</font> nax - Vi<font style="FONT-SIZE: 1px">^</font> agra - Am<font style="FONT-SIZE: 1px">(</font> bien - Phent<font style="FONT-SIZE: 1px">|</font> ermine</b></font></td>
Just like using X@`ax in the plaintext e-mail, these words have hidden its contents from the spam filter, increasing its chance of being delivered to the user successfully.
By using HTML encoding, the spammer is able to define the hidden characters as 1 pixel high, which makes each character too small for the reader to see. Spam filters not do render HTML then read it like we do; they look purely from a content perspective. This method works well at evading most spam filters, and is only made possible by HTML.
Another highlight of using HTML for message formatting is using HTML refresh tags. If a message is opened in a Web-based mail client, after two seconds of looking at it the browser page is refreshed to the “order now” Web site:
<META HTTP-EQUIV="refresh" content="2;URL=http://www.spammerxs- pills.com">
This means that when a user opens the message, they have only two seconds until they are suddenly sent to the Web site where they can buy the product. This is a very “in your face” method; you do not even need the user to click on any link or button. This can draw many people to a product or service, which increases the chances of a sale.
Writing effective spam is about knowing what your customers are interested in: who clicked on the e-mail, who bought a product, and where did they go within the site. All of this information is now harvested from within spam e-mail; therefore, spammers get a great insight into their customer’s personal life the second they open an e-mail. For example, take the source code of Figure 5.1:
<html> <head> <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> </head> <body bgcolor="#ffffff"> <div align="center"> <a href="http://t1.mokler.com/track.php/00A4945E7A/fast/ firstname.lastname@example.org"> <img src="/books/3/175/1/html/2/http://clicks.emarketmakers.com/images/email/emm/ls/ vacation.jpg" width="600" height="400" border="0"></a></p><p/><center> <a href="http://t1.mokler.com/track.php/00A4945E7A/fast/1?email= email@example.com">Click here to unsubscribe.</a></font></center> <img src="/books/3/175/1/html/2/http://t1.mokler.com/track.php/00A4945E7A/fast/icon.gif?email= firstname.lastname@example.org" height=1 width=1 alt=""><br> <p style="margin-top: 0; margin-bottom: 0" align="center"> <font face="Arial" size="1"><a href="http://email@example.com&cid=00B494517B">If you wish to not receive this newsletter follow this link</a></font></p>
The bold lines are the markers inside the message, which are used to track surfing and e-mail habits. If a user clicks on Vacation.jpg inside the e-mail message, they will be directed to: http://t1.mokler.com/ track.php/00A4945E7Afirstname.lastname@example.org
This Uniform Resource Locator (URL) allows the site to easily track and log each e-mail address that comes to their Web site. Because it has an e-mail address in the URL, they know that the address is not only valid, but that the user clicks on pictures.
Next is the unsubscribe link going to: http://t1.mokler.com/ track.php/00A4945E7Aemail@example.com. I will go more into unsubscribe and opt-out features later in this book, but for now let’s assume that this is a legitimate unsubscribe button, and that by pressing it you share your unwillingness to view their spam.
Last but not least is the most vital piece of the spam message:
<img src="/books/3/175/1/html/2/http://t1.mokler.com/track.php/00A4945E7A/fast/icon.gif?email= firstname.lastname@example.org" height=1 width=1 alt="">.
This technique makes use of a 1-by-1 pixel designed to track any user who opens the e-mail. Again, the link has the e-mail address in the URL and all the spammer has to do is scan his HTTP logs looking for anyone opening icon.gif and record the e-mail address in the request. Unless pictures are disabled in e-mails, the e-mail client will proactively download these images from any remote Web site once the e-mail is opened. The spammer now knows that the client saw the e-mail and opened it.
By using these three links a person’s habits are traceable, from entry to exit, and tell a spammer a lot of information about that person’s personal attitude toward spam. Perhaps they chose not to buy the product on sale but did visit the Web site. Maybe they just opened the e-mail. Perhaps they might be interested in other products like this one. Because of their habits, they can be sure to receive more spam from this spammer.
|Notes from the Underground…|| |
Don’t Open Spam
If you want my opinion on how to reduce the amount of spam you receive, do this: don’t read it, don’t click on it, just hit delete.
If you play dead and pretend that you didn’t receive the e-mail, the spammer will not be encouraged to send you more spam. For all the spammer knows, your account might not be active and is just filling up with spam. If there is no one there to buy the product, they may give up after a few attempts.
The second you open the e-mail, you are showing that your account is active (live) and that you are someone who will read the spam message. If you click on a link inside a spam message, chances are you will receive even more spam, because now you are seen as someone who opens spam and clicks on the links inside them. This shows that you are genuinely interested in that product or service and that you may buy it.
When the CAN-SPAM Act was approved on November 25th, 2003, after two months of deliberation in parliament, many spam activists rejoiced. Starting January 1, 2004, it was illegal to send any spam without either an unsubscribe or opt-out link. Unsubscribe or opt-out links are seen as a way for users to voice their displeasure of being sent spam. By submitting their e-mail address to the spammer, they tell him that they do not wish to receive his promotions anymore. By law, the spammer is forced to remove their e-mail address from his mailing list—that’s the idea anyway. Following is a passage from the CAN-SPAM Act about opt-out links:
3) Inclusion of return address or comparable mechanism in unsolicited commercial electronic mail—
(A) IN GENERAL- It is unlawful for any person to initiate the transmission to a protected computer of an unsolicited commercial electronic mail message that does not contain a functioning return electronic mail address or other Internet-based mechanism, clearly and conspicuously displayed, that—
(i) a recipient may use to submit, in a manner specified by the sender, a reply electronic mail message or other form of Internet-based communication requesting not to receive any future unsolicited commercial electronic mail messages from that sender at the electronic mail address where the message was received; and
(ii) remains capable of receiving such messages or communications for no less than 30 days after the transmission of the original message.(5) INCLUSION OF
IDENTIFIER, OPT-OUT, AND PHYSICAL ADDRESS IN UNSOLICITED COMMERCIAL ELECTRONIC MAIL—
5.) It is unlawful for any person to initiate the transmission of any unsolicited commercial electronic mail message to a protected computer unless the message provides—
(A) clear and conspicuous identification that the message is an advertisement or solicitation;
(B) clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further unsolicited commercial electronic mail messages from the sender; and
(C) a valid physical postal address of the sender.
It is now illegal to not give the recipient a legitimate method for which they can unsubscribe from a mailing list. However, there are ways to work within the law.
A common trick is to include a valid snail mail address for the company, located in Jamaica or Nigeria. Now if the user wishes to complain, they have to be willing to pay $1.00 for postage. This greatly reduces the amount of mail that will be received, while still being within the boundaries of the law. Spammers also use reply e-mail addresses at hotmail.com or yahoo.com. These Web e-mail accounts are legal as long as e-mail can be sent to them up to 30 days after the spam was sent. The catch is that the spammer will never check the e-mail account, so sending it e-mail doesn’t make any difference.
|Notes from the Underground…|| |
Opt-outs and Unsubscribe Links
I see opt-outs and unsubscribe links as too much of a hassle to run because they require an active Web server to process the users trying to unsubscribe. This opens the server up to being blacklisted as a server that helps spam. Because of this, I have never used opt-out options in my spam. Personally, I don’t care if you don’t wish to receive my spam. You don’t have a choice in the matter—you are going to receive it. However, some sites I promote require opt-out links to be present in every e-mail sent, making sure spammers obey the CAN-SPAM Act.
With my account’s credibility at stake, I found a way to get around this rule. My favorite trick is linking to a different site’s opt-out script. A quick Google search for “click here opt-out” shows many sites that have active opt-out scripts. I link to them so that the user thinks they have opted out. I don’t have to run any servers to process the addresses, and my account is not at risk of disobeying the CAN-SPAM Act.
Next, I use a random P.O. box located in Samoa or Fiji, where snail mail takes at least a month to arrive. By the time it’s bounced back to the sender, it’s likely that too much time has passed for them to remember what message they saw in the first place.
What happens when you unsubscribe? Do spammers really care? Do they even listen to your request? It depends on the spammer; many large spammers actively remove the e-mail addresses of any unsubscribe requests they receive.
The catch is that users will often be unsubscribed from one list and subscribed to two new lists, or their e-mail address becomes part of a mailing list regularly sold to other spammers. This is because their e-mail address is now verified; the spammer knows that their e-mail account is active and working and that the user actively reads spam. This shows how versatile spammers can be; they have found ways of moving within the law. CAN-SPAM has effectively legalized spam; as long as you work within the guidelines of the act, you don’t risk going to jail.
|Notes from the Underground…|| |
If you don’t wish to receive spam that you simply don’t reply, open, or click on it. Just delete the message and pretend that it never arrived. Oddly enough, spammers dislike people who complain and you will probably end up receiving more spam if you attempt to unsubscribe or reply to the e-mail address.
You may have noticed several strings of unreadable words inside a spam message such as:
aewxin qoekflg oepwe 19272 Jane Shaw
You may wonder what creates these and what purpose they serve in spam.
Random data helps defeat spam filters that look for the same message delivered to multiple accounts, or an e-mail that contains too many known spam words. By adding random data into e-mail, a spammer can trick a mail server into believing that the e-mail is not spam. Pages of random words are often tagged onto the end of a message, sometimes selected randomly from the dictionary, or random characters thrown together. These strings make e-mail unique and make it look legitimate.
Many e-mailing programs support creating dynamic e-mails. Dark Mailer is great at coming up with random e-mails. It lets you define message headers, variables, body, subject, or reply addresses as random strings, numbers, or words, which change for every e-mail delivered.
As you can see in Figure 5.4, a subject will be created from %RND_TEXT %RND_WORD %FROM_NAME. Although this may seem like an uneducated and unintelligent thing to do to your spam, it is highly effective against many spam filters.
Figure 5.4: The Making of aewxin qoekflg oepwe 19272 Jane Shaw
I only use random data now; no other method comes close to the delivery rate 182945 ajeeye Jack can give.
|Notes from the Underground…|| |
My favorite subject to use in spam is a random name in a string; something that still makes sense in its context such as:
%FIRST_NAME said you would be interested in this. Ref: %RND_DIGIT[1-3]/%RND_DIGIT[1-4]
This produces a subject that is highly readable but still unique. For example:
“Claire said you would be interested in this. Ref:18/210”
Anyone can quickly spot the message as spam if it seems overly random and contains an often-garbled subject or reply address. However, this does not seem to have any impact on the user, they still open the message, click on the links, and buy the products. I have heard people say that there are links behind the random data in e-mail messages. There is no truth to this. The only reason spammers add random data is to bypass filters; there is no logic or reason behind it, and no, the government isn’t tracking you.
Ideally you want links to pictures inside HTML-formatted e-mail. Color often brightens up e-mail and increases its eye appeal.
However, if you are sending e-mail through an open proxy server or a compromised host, you do not want your own Web server to host the pictures because people may complain to your Web server’s ISP, which may result in your account being cancelled. No matter where you host the pictures, the host provider is sure to receive thousands of complaints. If even 1 percent of your spam results in an angry e-mail sent to your upstream provider, your account stands a good chance of being closed, usually quoting the line from the Terms and Conditions that explicitly disallows anything to do with spam.
There are a few ways around this. First, there is the corporate way. Just like companies that offer methods of sending spam, companies also offer bullet-proof hosting, located in remote countries such as Costa Rica or China. These companies offer a way for spammers to host content within a spam-friendly network. These providers will ignore complaints and abusive e-mails and your pages will always be available to the public, no matter what the content is, or how you promote it.
One company that offers such a service is, www.bullet-proofhosting.com.ni, where pictures can be served out of Nicaragua. This anonymity and spam friendly host does not come cheap; a single dedicated server capable of hosting adult or casino content will cost a tidy $3,200.00 US a month. A hefty price for the service, but there is no risk of the account being cancelled unexpectedly.
As mentioned in Chapter 2, Botnets are often used when sending spam. They are also used when hosting content. In May 2003, a group of spammers who specialized in selling pornography and sexual performance enhancer pills, released a Trojan called Fizzer.
Fizzer spread via e-mail, spamming its own viruses to other users. When infected, each client would begin to run a Web server and connect to a hidden Internet Relay Chat (IRC) server. This gave the spammers control over the host and a place to use when hosting their content from spam. A very creative idea, since this gave the spammers millions of disposable Internet Protocol (IP) addresses.
Let’s say I’m a creative spammer and I prefer to use more different methods when hosting pictures for spam. For a clever spammer, my favorite would be making someone else host the content for me, often without them knowing. Take the following hypothetical scenario:
It is late December and universities all over the world have closed their doors for the year; however, most do not turn off their servers. They continue to operate, processing incoming e-mail and the school’s Web site. Since the schools’ doors will be shut, and it is unlikely that any of the teachers would still be checking their school e-mail account, the school is a prime target to host content; while the teachers are away the spammer will play. All I need is for the school’s Web server to be up to serve my pictures for three days. By then the majority of people will have read the spam and I can afford to shut down the Web server and delete the pictures. I would have less success if the school was currently open, because complaint e-mails would probably flood in and alert the technician within one day.
I have noticed a common trend in Asian schools: most students receive comprehensive courses in computing, from basic programming to Web development. Even at a young age and in primary schools, there are many test Web servers set up for students to run scripts and host their own Web pages. Another common trend is that the majority also have a way for students to submit or upload pictures on a random host usually meant for art galleries, photo galleries, or test scripts a student has installed.
A Google search for inurl:.edu.cn inurl:upload will show you just how many sites there are in China alone. All you have to do is submit your own photos and spam the link to where the photos were uploaded. The photo gallery can now become your very own spam server; all you need is a server capable of serving as a .jpg, as seen in Figure 5.5. An added bonus is the server’s location in a non-English speaking country, making those complaint e-mails that much harder to read.
Figure 5.5: An upload.cgi Just Asking to Host My Content
|Notes from the Underground…|| |
Borrowing a Home Directory
I once found such a script at a Chinese primary school. It was installed under a user’s home directory where he was submitting photos from what looked like his cell phone to a large photo gallery. It only took two seconds to submit my own photos to his Web site, and I used the primary school to host my content. It worked well, and the server was up and serving for over a week while I sent out my spam—all complete with full color pictures.
There is yet another highly creative method for making someone else host pictures or content for me. Most spammers don’t know of this method or choose not to use it. The method involves using HTML injection techniques, a method used to control the contents of a Web page by injecting HTML content into variables, making someone else unknowingly host spam-related HTML.
Take the following example in Figure 5.6. With the help of a little HTML injection, I would be able to manipulate an .asp-based photo gallery script. This would lead me to changing the content of the page and turning it into a spam-promoting Web page.
Figure 5.6: Attention All Offers: There is a Hijacking in Progress in Chapter 5
If there’s a way, there’s a spammer.
The URL for this Web page is:
http://www.randomsite.com/gallery/viewpic.asp?File="><img%20src="/books/3/175/1/html/2/http:// www.pillsaregood.com/images/pills/viag03.gif"&Caption=<font%20size=100>% 20Having%20trouble%20getting%20it%20up?
As you can see, both the File and Caption variables are under my control, which has resulted in rogue HTML content being injected. This injection has changed the look of the Web page by adding another picture and changing the font text and size of the caption.
Now a walking drug billboard, if you look at the page source you can see where and how this was achieved.:
… <img src="/books/3/175/1/html/2/images/"><imgsrc="/books/3/175/1/html/2/http://www.starpills.com/images/pills/viag03. gif" alt=""border="2"></P> <P><font size=100> Having trouble getting it up?</P> <P> …
The bold text is where the injection takes place. The File variable, which usually contains the location of a local file to include, has been overwritten and further HTML has been injected. This HTML contains another HTML image tag, allowing me to specify a remotely hosted picture at: www.pillsaregood.com.
By injecting a font tag and my own caption into the Caption variable, I can change the displayed caption with a large font size to make the page look fully legitimate. If I wanted to, I could also add a hyperlink so that when clicked, the text body and picture will take you to the site I am promoting. In under five minutes of work I have been able to change an innocent photo gallery Web site into my own spam jump page, the page a user first sees when they click on spam.
A jump page is the page that sits between the spam e-mail and the product Web site. Acting as a filter, it ensures that only legitimate parties end up at the product site. Jump sites are good for two reasons. First, they reduce the amount of annoyed customers complaining to the product Web site. By initially sending the reader to a different host you can confuse them. This often causes abusive e-mails to be sent to the jump page host, not the product vendor.
Second, a jump page reduces any obvious peaks in traffic that could stem from millions of people opening their mail. Many companies check their server logs to make sure no one is directly linking to pictures or content held on their Web server, or sending spam to promote a product.
Example of a HTTP log file:
188.8.131.52 - - [21/May/2002:02:03:25 +1200] "GET / images/pills.jpg HTTP/1.1" 200 42445 " http://us.f520.mail.yahoo.com/ym/ShowLetter?MsgId=8496_1134833_54 059_1761_883_0_393_ -1_0&Idx=5&YY=40828&inc=25&order=down&sort=date&pos=0&view=a&head= b&box=%40B%40Bulk" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
If the logs show the referral value as yahoo.com, the company will know that someone has been sending spam and using their Web server to host the content. Your account will not last very long and you may never receive any money currently owed to you. By hosting the images on a remote jump page, you can effectively clean the referral value. When the user clicks on a link on your jump site to the main product Web site, only the jump site is shown in the referral address. No one has any idea if the user came to that site via e-mail spam, clicking on a link, or a Google search.
Jump sites are common in spam e-mails, and are usually hosted on bulletproof servers outside the US. Another handy trick to know is that if you directly link to images hosted on a promoter’s Web site from a hijacked page, the Web server logs will show the hijacked host as the referrer, incriminating them, not you.
After you finish hijacking a page, what’s next? How do you tie this defaced Web page into your spam message? This is where HTML formatting comes in very handy. Take the following example:
<HEAD> <META HTTP- EQUIV="refresh"content="1;URL=http://www.randomsite.com/gallery/viewpic.a sp?File='><img%20src=http://www.pillsaregood.com/images/pills/viag03. gif&Caption=<font%20size=100>%20Having%20trouble%20getting20it%20up?>" <TITLE>%RND_WORD %RND_WORD %RND_WORD</TITLE> </HEAD> <BODY> ""</font> <A HREF="http://www.randomsite.com/gallery/viewpic.asp?File='><img%20src=h ttp://www.pillsaregood.com/images/pills/viag03.gif&Caption=<font%20size =100>%20Having%20trouble%20getting%20it%20up?"> <b><br> P<font style="FONT-SIZE: 1px">%RND_LETTER</font> r<font style="FONT-SIZE: 1px">%RND_LETTER</font> o<font style="FONT-SIZE: 1px">%RND_LETTER</font> z<font style="FONT-SIZE: 1px">%RND_LETTER</font> a<font style="FONT-SIZE: 1px">%RND_LETTER</font> c<font style="FONT-SIZE: 1px">%RND_LETTER</font> ?<font style="FONT-SIZE: 1px">%RND_LETTER</font> </A> <br><br><font style="FONT-SIZE: 2px"> %RND_WORD %RND_WORD %RND_WORD %RND_WORD %RND_WORD %RND_WORD %RND_WORD When I was a child, I spake as a child, I understood as a child, I thought as a child; but when I became a man, I put away childish things. --1 Corinthians 13:11 Wine maketh merry: but money answereth all things. --Ecclesiastes 10:19 </BODY> </HTML>
This is a combination of many techniques. There is random data throughout the page to avoid any filters checking for the same message being delivered and each message is unique in size and content, as seen in %RND_WORD and %RND_LETTER.
By sending the message in HTML format, I would be able to use a “refresh” directive to force the user to my hijacked Web site after one second of opening the e-mail. If the refresh fails, there is a hyperlink with a single word “Prozac,” separated by 1-pixel random letters. If the user is interested in Prozac, they will click on the word again, going to my hijacked Web site (see Figure 5.6).
There are also random sections of text at the base of the e-mail, written in a w-pixel font. This text is unreadable to the human eye and contains both random quotes from the bible (my personal favorite) and words selected at random from the dictionary. The %RND_LETTER variables will be replaced by my mailing program (Dark Mailer) at the time of sending. This will help the message’s appearance, fooling some spam filters into thinking the message is legitimate.
Figure 5.7 is an example of the final product; a spam message hosted on a hijacked Web server and sent using open proxy servers.
Figure 5.7: The Final Product
This hijacking method is powerful because it allows a spammer to use a third party to host the layout and content of his spam. A spammer could even exploit an existing trust relationship someone may hold with a particular site. By finding an HTML injection flaw in Microsoft.com or cnn.com, it would be possible for a user to be tricked into thinking the spam came from CNN or Microsoft, raising the credibility of the spam and possibly resulting in a sale.
In my time on the net, I have only seen two spam e-mails containing hijacked content. I don’t think they’re very popular. Most spammers don’t know about the method or how to use it, but I think it is a powerful method that could be used in many situations.
If you take someone from a message body to a Web site that has a respectable name and the Web page looks legitimate and is boasting the sale of some wonder drug, your chances of them buying your product goes up. Sure, a few companies are going to get a little upset with you doing so, but there is good spam money to be made doing this.
|< Day Day Up >|| |