[ale] OT: Latest "sneaky" spam technique

Christopher Bergeron christopher at bergeron.com
Wed Oct 9 14:43:30 EDT 2002 



Ok, now this one is just plain tricky here.  I just received an email from
some girl that I don't know.  The message reads, "here are some pics of dakota"
and the Subject line is just:  pics.

Attached to message are a bunch of legimitate baby pictures.

My first reaction was to kindly reply and let her know that it appears that
she's sent an email to me by mistake.  BUT THEN IT OCCURED TO ME.  This is
just the latest, downright deceptive way to harvest email addresses.  After
careful review, I've come to the conclusion that this is genuine SPAM at
it's nastiest.  I've forwarded the baby pictures along for kicks.  If anyone
else out there has gotten this one, please let me know.

Just wanted to pass this info along with a warning to always be alert when
you "reply" to an email message, and for best results; don't reply to anyone
you don't know.

-CB




Chris Ricker wrote:
<blockquote type="cite"
 cite="midPine.LNX.4.44.0210081314210.32410-100000 at hanuman.oobleck.net">
  You can relax.  Your message below with the embedded HTML breaking up words
was correctly caught as spam by spamassassin. ;-)

Here's the report:

X-Spam-Report: Detailed Report
  SPAM: -------------------- Start SpamAssassin results
    ----------------------
  SPAM: This mail is probably spam.  The original message has been altered
  SPAM: so you can recognise or block similar unwanted mail in future.
  SPAM: See http://spamassassin.org/tag/ for more details.
  SPAM: 
  SPAM: Content analysis details:   (5.4 hits, 5 required)
  SPAM: MORTGAGE_RATES     (4.4 points)  BODY: Information on mortgage rates
  SPAM: RCVD_IN_MULTIHOP_DSBL (1.0 points)  RBL: Received via a relay in
    multihop.dsbl.org
  SPAM:                    [RBL check: found
    244.244.207.130.multihop.dsbl.org]
  SPAM: X_RCVD_IN_UNCONFIRMED_DSBL (1.0 points)  RBL: Received via a relay
    in unconfirmed.dsbl.org
  SPAM:                    [RBL check: found
    244.244.207.130.unconfirmed.dsbl.org]
  SPAM: FUDGE_MULTIHOP_RELAY (-1.0 points) RBL: Do not double penalize if
    an IP is a multihop and an open relay
  SPAM: 
  SPAM: -------------------- End of SpamAssassin results
    ---------------------

Notice that it matched "MORTGAGE_RATES", even though you'd broken it up with 
HTML....

(and I'm sure this reply is also going to match people's spamassassin 
setups ;-)

later,
chris

On Tue, 8 Oct 2002, Fulton Green wrote:

  
  
    Apparently spammers, now cognizant of things like spamassassin that actually
examine the content of spam, are now breaking up the critical keywords
with HTML comments, like:

<html><p>Mor<!-- webmaster -->tgage rat<!-- catnip -->es have never been
      lo<!-- hehe -->er!</p></html>

Just be aware.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

    
  
  



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.



  






---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list