Can someone explain to me (publicly or privately) why someone would send spam with no product to sell, no position to pitch, nothing except text designed to get by a spam filter -- without even HTML to KNOW it got by a spam filter.. For example: From: Joe Legitimate <jlegit@university.edu> To: Deepak Jain <deepak@ai.net> Subject: [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] --- EOM --- I don't understand why one would waste the time, if its a test, why would it get out in public? I would like to think I am being naive, but I just don't see the upside unless it were particularly targeted at me or my mailserver to determine our response or response time, etc. Thanks in advance, DJ
On Wed, 31 Mar 2004 22:18:03 -0500 Deepak Jain <deepak@ai.net> wrote:
Can someone explain to me (publicly or privately) why someone would send spam with no product to sell, no position to pitch, nothing except text designed to get by a spam filter -- without even HTML to KNOW it got by a spam filter..
For example:
From: Joe Legitimate <jlegit@university.edu> To: Deepak Jain <deepak@ai.net> Subject: [dictionary word]
[dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word] [dictionary word]
--- EOM ---
I don't understand why one would waste the time, if its a test, why would it get out in public?
I would like to think I am being naive, but I just don't see the upside unless it were particularly targeted at me or my mailserver to determine our response or response time, etc.
just out of curiosity, do you happen to use a mail reader which normally only shows you the text portion of a mime message? there's quite a lot of spam which has attempts at busting bayesian filters in the text section, and the spam payload is in the html section. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
On Wed, Mar 31, 2004, Deepak Jain wrote:
Can someone explain to me (publicly or privately) why someone would send spam with no product to sell, no position to pitch, nothing except text designed to get by a spam filter -- without even HTML to KNOW it got by a spam filter..
(a) kill bayesian filters - people would simply mark it as spam and then notice that their spam filters become less trustworthy. (b) list scraping - perhaps not random dictionary words (i've seen real-sounding meeting confirmation emails, for example, which a few unrelated friends of mine also received) to determine which email addresses are/aren't valid (c) Sometimes, I get spam with the above crap in the text body, but a spam-like HTML body. Adrian -- Adrian Chadd I'm only a fanboy if <adrian@creative.net.au> I emailed Wesley Crusher.
On Thu, 1 Apr 2004, Adrian Chadd wrote:
On Wed, Mar 31, 2004, Deepak Jain wrote:
Can someone explain to me (publicly or privately) why someone would send spam with no product to sell, no position to pitch, nothing except text designed to get by a spam filter -- without even HTML to KNOW it got by a spam filter..
<snip>
(c) Sometimes, I get spam with the above crap in the text body, but a spam-like HTML body.
numbing the masses to the pain....
A message like this will usualy contain an html portion with an image in it that is a single pixel in size, that is white-on-white. It doesn't show up when you look at it, but it sends a request to the sender's specified website to get the pixel, thus showing them which email accounts are active. Jerry -------Original Message------- From: Adrian Chadd Date: 03/31/04 22:58:29 To: Deepak Jain Cc: nanog@merit.edu Subject: Re: Spam with no purpose? On Wed, Mar 31, 2004, Deepak Jain wrote:
Can someone explain to me (publicly or privately) why someone would send spam with no product to sell, no position to pitch, nothing except text designed to get by a spam filter -- without even HTML to KNOW it got by a spam filter..
(a) kill bayesian filters - people would simply mark it as spam and then notice that their spam filters become less trustworthy. (b) list scraping - perhaps not random dictionary words (i've seen real-sounding meeting confirmation emails, for example, which a few unrelated friends of mine also received) to determine which email addresses are/aren't valid (c) Sometimes, I get spam with the above crap in the text body, but a spam-like HTML body. Adrian -- Adrian Chadd I'm only a fanboy if <adrian@creative.net.au> I emailed Wesley Crusher.
A message like this will usualy contain an html portion with an image in it that is a single pixel in size, that is white-on-white. It doesn't show up when you look at it, but it sends a request to the sender's specified website to get the pixel, thus showing them which email accounts are active.
except for those of us who don't use browsers to read mail and have html turned off in our mail readers. i just love those "get a mail reader that can handle html" responses to my requests not to post html to nanog and other ops lists. html ain't quite as bad as javascript, but with today's html hackin' kiddies, it's a close contest. randy
On Thu, Apr 01, 2004 at 07:03:35AM -0800, Randy Bush wrote:
A message like this will usualy contain an html portion with an image in it that is a single pixel in size, that is white-on-white. It doesn't show up when you look at it, but it sends a request to the sender's specified website to get the pixel, thus showing them which email accounts are active.
except for those of us who don't use browsers to read mail and have html turned off in our mail readers. i just love those "get a mail reader that can handle html" responses to my requests not to post html to nanog and other ops lists. html ain't quite as bad as javascript, but with today's html hackin' kiddies, it's a close contest.
randy
for those who tire of the increasing complexity of email(*) may I recommend /usr/ucb/mail - a (relatively) small, lightweight MUA. --bill (*) plus attachments, video/audio clips, goofy fonts, textured/scented "stationary", et.al. and/or POP/IMAP, procmail, spamassasin, black/white/grey-lists, DNS hacks, et.al.
bmanning@vacation.karoshi.com wrote:
for those who tire of the increasing complexity of email(*) may I recommend /usr/ucb/mail - a (relatively) small, lightweight MUA.
(*) plus attachments, video/audio clips, goofy fonts, textured/scented "stationary", et.al. and/or POP/IMAP, procmail, spamassasin, black/white/grey-lists, DNS hacks, et.al.
I'm thinking "Big Chief" tablet and black crayon. -- Requiescas in pace o email
(Subject line changed to comply with Merit's AUP) On Thu, 1 Apr 2004 13:28:31 UTC Jerry Eyers <jeyers@sloancc.net> wrote:
it sends a request to the sender's specified website to get the pixel thus showing them which email accounts are active.
Some times the request goes to the website, sometimes a DNS request to nameservers is sufficient to cause the account to be tagged as active. False tagging can occur if a mailserver or other scanner looks up the IP of URLs found in mail messages On Thu, 1 Apr 2004 15:03:35 UTC Randy Bush <randy@psg.com> wrote:
except for those of us who don't use browsers to read mail and have html turned off in our mail readers.
After the last batch of worms that found their way here, it's a bit disappointing that Merit hasn't yet blocked HTML mail to this list. -- Richard Cox
On Thu, 1 Apr 2004, Richard Cox wrote:
Some times the request goes to the website, sometimes a DNS request to nameservers is sufficient to cause the account to be tagged as active.
I don't quite understand how that would work. DNS Request does not contain name of who the email is addressed to unless instead of using something like "http://spammersserver.com/confirmemail.cgi?yourname@yourdomain.com" they rewrite it into "http://emailidstring.spammerserver.com" and use some custom dns server that can log all such requests. But I really dont see how this would be any different then just logging with cgi, it'll result in positive logging for exactly same set of people. For example as I'm using PINE from unix shell, all those html images are not referenced in any way, nor are there requests set for them in dns. Where as WYSIWYG html email client (no matter if its web-based or outlook or mozilla) will reference and display all images contained in email -- William Leibzon Elan Networks william@elan.net
On 4/1/2004 11:15 AM, william(at)elan.net wrote:
Where as WYSIWYG html email client (no matter if its web-based or outlook or mozilla) will reference and display all images contained in email
You can turn it off in Mozilla and some MS clients. It's a pretty common feature nowadays. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Thu, 1 Apr 2004, Eric A. Hall wrote:
On 4/1/2004 11:15 AM, william(at)elan.net wrote:
Where as WYSIWYG html email client (no matter if its web-based or outlook or mozilla) will reference and display all images contained in email
You can turn it off in Mozilla and some MS clients. It's a pretty common feature nowadays.
Yeh, good. My point still stands though, your email client will either try to resolve the url and try to get the image or it will not (in which case there would be no dns request either). -- William Leibzon Elan Networks william@elan.net
On Thu, 1 Apr 2004 17:15:10 UTC <william@elan.net> wrote:
I don't quite understand how that would work. ... unless instead of using something like "http://spammersserver.com/confirmemail.cgi?yourname@yourdomain.com" they rewrite it into "http://emailidstring.spammerserver.com" and use some custom dns server that can log all such requests.
That is precisely what they are doing.
But I really dont see how this would be any different then just logging with cgi, it'll result in positive logging for exactly same set of people.
In pure logging terms there is no difference. However a filtering mailserver may do a lookup on the URL to see if the IP is listed as problematic, and that will register the DNS access whereas it would not register the CGI. The thinking being that the filter would be unlikely to check the content if the address was invalid anyway. Also, the IP of the URL target is more likely to be identifiable, and the site taken down, than any nameserver that might be used. (It's all relative - no absolutes here) -- Richard Cox
Deepak Jain wrote:
Can someone explain to me (publicly or privately) why someone would send spam with no product to sell, no position to pitch, nothing except text designed to get by a spam filter -- without even HTML to KNOW it got by a spam filter..
Quite often it's broken spam-ware. Ever see %RND_UC_CHAR in the subject? Broken software. Spammer didn't even RTFM for his own ratware. Properly trained SpamAssassin with some additional rulesets (http://www.exit0.us) catches the vast majority of those. -Jonathan
participants (12)
-
Adrian Chadd
-
bmanning@vacation.karoshi.com
-
Christopher L. Morrow
-
Deepak Jain
-
Eric A. Hall
-
Jerry Eyers
-
Jonathan Nichols
-
Laurence F. Sheldon, Jr.
-
Randy Bush
-
Richard Cox
-
Richard Welty
-
william(at)elan.net