An Example of Perfect Spam

What would a perfect spam message look like? How can an ideal spam message be created that is capable of bypassing the majority of spam filters while still being highly readable and not full of random data? What follows is what is I consider perfect spam, spam that attempts to bypass all levels of filters in the most efficient and productive manner while maintaining its functionality and usefulness. The pseudo-spam created solely for this book’s example will attempt to sell Viagra, possibly the most over-sold product on the Internet.

The Process

The first thing to keep in mind as you develop perfect spam is that money cannot be an issue. The more effort and money you invest into a project usually determines the percentage of profit you will receive from it. When you’ve come to terms with this realization and have the proper financial means in place, you can begin.

I would start by first setting myself up with an offshore Web-hosting provider either in China, Africa, or a small pacific island; ideally, a pro-spam company. They don’t have to allow me to send spam directly from their network; they just need to approve of me linking to their Web servers from my spam e-mails. The cost of this service would be $300.00 to $400.00 per month; well worth the expense since the provider would guarantee my Web site is available during the lifetime of my spam. The last thing I would want is for users not to be able to buy the product.

Next, I would register a domain name with a Russian named provider service, using fake credentials but choosing a semi-legitimate looking domain name and excluding any obvious keywords such as “Viagra” or “Drugs.” In this example I will use: glossy-heven.com.

Although linking directly to an IP instead of a domain name would also work, linking to a domain name will receive a much lower spam score with many filters, increasing the messages’ validity. Do you ever e-mail a friend and send them a link to “123.12.12.12?” The majority of valid e-mails that contain links, contain domain names, not IP addresses.

My preferred method of sending the spam would be via a Botnet or large compromised host network. If I aimed to send five million spam messages I would be looking at using five or ten thousand hosts to deliver those messages. Using this many e-mail hosts gives me a low ratio of messages each host has to send, making the spam as effective as possible and reducing the points of failure. I estimate 20 to 30 percent of the hosts will be blacklisted by the time the spam sending is completed, so the more hosts I have the better it is for me in the long run.

My options with Botnets are limited. One option would be for me to rent one for a few hundred dollars a week from another spammer or hacker; an easy alternative, but still another cost associated with the spam delivery. My choice would be to steal an existing Botnet, find a compromised host, determine what Botnet software is running on that host, watch for any communication sent to the host, and use this information to take control of the Botnet. This is a somewhat powerful and sneaky method, but the majority of Botnets are badly secured and it is not hard to get “inside” the zombie network. Find the control password and use it to hijack the other zombies within the Botnet. Then change the password or install your own Botnet software, thus making it your own. Although this method requires an investment of time and energy, it can really pay off. Some Botnets consist of 20,000 hosts and are controlled by a single password that is sent to each zombie in the form of an Internet Relay Chat (IRC) message. This message is easily sniffed out in transit and can be used to “steal” the Botnet from the hacker. Botnet hacks are very common and hosts are often stolen from each Botnet master by rival hackers.

Once the Botnet is set up, I would use a client-based spam program to relay my messages through open proxy servers running on each Botnet zombie. I would rotate the messages evenly around the proxy servers and test each hosts’ validity every few minutes to make sure it is not blacklisted or banned in any spam RBL. The hosts would send HELO messages containing random domain names and excluding any obvious cable or dial-up providers. The message would be HTML-based with a random subject. Each subject sent would come from a list of previous subjects, such as a list of e-mail I previously received. The body of the message would contain mostly words displayed from picture files linked to www.glossy-heven.com. These pictures would contain the most obvious spam words such as “Buy Viagra Here,” “Online pharmacy,” and “Low prices!”

Including these words as multiple pictures instead of one large picture can reduce the score the message receives by spam filters. Legitimate messages that contain HTML links to a picture predominantly contain at least two or three pictures. Short messages that contain only a link to a single picture are often seen as spam.

Storing these words in pictures allows me to hide them from spam content checkers, since content filters are unable to read the body of the pictures. This allows me to say whatever I want in each picture and not have to obfuscate any key words such as Viagra. The upper part of the message will contain a link to my picture file and the lower part will contain a half of a page of random newsgroup message replies, pre-harvested from online news servers. This will ensure that the body of the random data is legitimate looking, because someone else wrote it. If I combine parts of five random messages together into one, I can create millions of possibilities and make each message unique and having only one common element (the picture link). I would send the messages on a national public holiday such as Easter Sunday or Christmas. That way, the majority of abusive e-mails would not be checked because the majority of people are on holiday.

The following is a copy of the HTML message source that I would use. The %RND_ markers identify sections of random data and each variable is replaced by my spam sending client when e-mailed.

<html>        <head>        </head> <body> <a href="http://$RND_WORD.glossy-heven.com/order>  <img src="/books/3/175/1/html/2/http://%RND_WORD.glossy-heven.com/img/1.gif"><br> <img src="/books/3/175/1/html/2/http://%RND_WORD.glossy-heven.com/img/2.gif"><br> <img src="/books/3/175/1/html/2/http://%RND_WORD.glossy-heven.com/img/3.gif"><br> <img src="/books/3/175/1/html/2/http://%RND_WORD.glossy-heven.com/img/4.gif"><br> </a> %RND_NEWSGROUP_HEADER %RND_NEWSGROUP_HEADER %RND_NEWSGROUP_HEADER %RND_NEWSGROUP_HEADER %RND_NEWSGROUP_LINE %RND_NEWSGROUP_LINE %RND_NEWSGROUP_LINE %RND_NEWSGROUP_LINE %RND_NEWSGROUP_LINE %RND_NEWSGROUP_LINE %RND_NEWSGROUP_LINE %RND_NEWSGROUP_LINE %RND_NEWSGROUP_LINE </body> </html>

This creates the following e-mail once each variable has been replaced (see Figure 11.4):

Figure 11.4: The Composed Message

As you can see, all of the message headers came from different legitimate e-mails, which give a random subject that draws no attention to itself. These particular message headers from a post to bugtraq. As so many messages are sent to bugtraq it’s easy to get a lot of content and the message subjects have a fair amount of variety in them. Plus, the catchy phrases are sure to draw in some new people, giving them something a little different for their inbox. Although intrusive looking, the random data doesn’t tamper with or hinder the direction of the spam. You can still clearly tell what the spam is trying to say.

Spammers claim to receive much better results when they use a very random subject line, as more people open the spam, curious by how strange it seems.

In the HTML source, the image links contained %RND_WORD in each host address. This means that each image link is unique, from ajefhe.glossy-heven.com to jie93q.glossy-heven.com. This helps provide the Web site with more spam ability and makes each e-mail look unique and not all linking to a single host. This helps defeat hash-based filters.

DNS wildcards are a wondrous thing. By setting up a wildcard (match all) DNS record, I can have anything.glossy-heven.com resolve to a single IP address.

Take this example, of xxx.com

Non-authoritative answer: Name:    freexxxdotcomhosting.web1000.com Address:  66.28.xxx.xx Aliases:  spammerx-hacked.xxx.com

If you type nslookup spammerx-hacked.xxx.com you will see that it resolves to a valid IP address. This gives you a limitless possibility of host names to use. Hash-based spam filters will find it hard to match random host names and it will take longer for glossy-heven.com to be blacklisted. Hosts are also usually banned by their full host name and not by domain.

The random data pulls off the effect by looking like a previously written e-mail. Who would have thought you could find so many uses for bugtraq posts? I know that a language analyzer would not find any fault with my text, since it is legitimate in nature. Nothing identifies the text as out of place, either. Additionally, there is enough to the body that the message looks legitimate. In short, this message stands a good chance of scoring low on most spam filters.

I would send the messages with a high-speed connection local to me, relaying the e-mails through my Botnet. I would deliver each message quickly; five million spam messages may take an hour or two to send, but this is no problem because after all this work we deserve to relax.