Spam Mails

Contents

• Spammer - The address collectors
• Protection against spam mails
• The tricks of spammers

Spammer - The address collectors

This is how e-mail addresses fall into the hands of spammers:

Method 1: Collecting

Special programs, so-called robots or bots for short, search the internet for e-mail addresses. E-mail addresses can be found in the imprints of private and commercial websites, in guest books, discussion forums, classified ads, and dating sites, etc.

Providers of dubious websites often force the entry of an e-mail address before a certain service can be used. The addresses collected in this way can then be resold for profit or even used to send spam.

Various types of malware can read the address books and e-mails on infected computers and send them back to the malware's author.

Method 2: Dictionary Attacks

Unlike printed advertising material, a spam e-mail costs the sender nothing. Therefore, it doesn't bother them much if some of the e-mail addresses they send to don't even exist. This is the basis for so-called "dictionary attacks": spammers scan a name directory, telephone directory, or dictionary and randomly generate e-mail addresses from the names contained therein. These addresses are then combined with numbers or popular endings. The resulting addresses are e-mailed "on suspicion." If the sender doesn't receive an error message, the address is considered to exist.

Method 3: Buying

Lists of e-mail addresses can easily be purchased or obtained for free from the internet. These address lists are often advertised via spam e-mails. Lists of hacked e-mail accounts can also be used as a source of e-mail addresses.

Protection against spam mails

How to (try to) protect yourself from spam e-mails:

1. Use the BCC field if an e-mail is to be sent to multiple recipients.

This serves to protect the privacy of the correspondent, who should ideally be allowed to decide who they want to give their e-mail address to. At the same time, it also prevents the uncontrolled distribution of these addresses, for example, in the case of forwarded messages or if a computer is infected with malware.

2. Never reply to a spam e-mail.

Advertising e-mails often contain a warning that the recipient can prevent further delivery by replying with a specific subject or by clicking on a link. However, this reaction achieves the exact opposite: The sender now knows that the e-mail address is valid and that the messages are being read. This knowledge makes the address even more valuable to spammers.

3. Never click on a link in a spam e-mail.

Links contained in spam e-mails often lead to the installation of malware, subscription traps, or other dubious offers.

4. Protect your e-mail address on websites.

Spammers use fully automated search tools (so-called "bots") to scour the internet for e-mail addresses. This is why websites often replace characters or encode the address. Other solutions include a contact form, a text graphic, or inserting the address using JavaScript - as in this example:

<script>
// Insert an e-mail address
function InsertMail(mailnam,mailsvr,maildom,text) {
  if(text=="")
    document.write('<a href="mailto:' + mailnam + '@' + mailsvr + '.' + maildom + '">' + mailnam + '@' + mailsvr + '.' + maildom + '</a>');
  else
    document.write('<a href="mailto:' + mailnam + '@' + mailsvr + '.' + maildom + '">' + text + '</a>');
}

InsertMail("name","domain","com","Send e-mail");
</script>

<noscript>name&nbsp;[at]&nbsp;domain&nbsp;[dot]&nbsp;com</noscript>

5. Avoid short e-mail addresses.

E-mail addresses with names consisting of only 3 or 4 letters (e.g., abc@domain.tld) should be avoided. For example, address generators regularly send advertising e-mails to all 2-, 3-, and 4-letter variations of well-known domains (e.g., Yahoo, Hotmail, T-Online). E-mail addresses with aliases consisting of common first names or terms are also often targeted by spammers on suspicion. Proper names or names combined with numbers, such as john93@domain.tld, are better. If the e-mail address consists of a first and last name (firstname.lastname@domain.tld), there is a risk of being affected by a "dictionary attack."

6. Use two e-mail addresses: one public and one private.

The more generous you are with your e-mail address, the greater the risk of spam. It is therefore advisable to create a primary address for electronic correspondence and another for all other purposes. Almost all providers allow you to create and manage multiple e-mail addresses under one e-mail account (alias addresses). Free e-mail providers or so-called disposable addresses are another option.

7. The primary address should only be used for communication with known people or companies.

The primary address should never be used for any of the following purposes: participation in sweepstakes, registration for free services or product registrations, e-mail address directories, mailing lists, newsletter subscriptions, entries in guest books, discussion forums, or Usenet, domain registrations, sending eCards, online shopping, etc.

The tricks of spammers

To outsmart spam filters, spammers use a variety of methods. Since spam filters analyze individual words, spammers try to separate the words with HTML tags or otherwise make the context invisible to filters. On the one hand, the filters must not recognize the message, and on the other hand, the text must be readable for the recipient. Below are some of these tricks.

Trick 1:

Hiding the text by inserting invisible input fields into the text:

Get The <font color="#FF0000">
LOWE<input type="hidden" name=gfrtde>ST
PR<input type="hidden" name=zawsxd>ICE
</font> On Your N<input type="hidden" name=plkmju>ew Car

Trick 2:

By adding any word separated from the actual subject by spaces and tabs, the hash value of the subject is changed and spam filters will no longer recognize the e-mail as spam:

Subject: FEATURED IN MAJOR MAGAZINES                         algorithmic

Trick 3:

Any text intended to change the hash value of an e-mail will prevent the e-mail from being recognized by a spam filter:

<p style="margin-bottom: -20"><font size=1 color="#FFFFFF">
Random word of BIG LETTERS with length 1 to 22 TSUTHRXJKVUVBECP
</font></p><p style="margin-bottom: -20"><font size=1 color="#FFFFFF">
Random word of small letters with length 1 to 16 uyswdgueoclrwlf
</font></p><p style="margin-bottom: -20"><font size=1 color="#FFFFFF">
Random word of mixed symbols with length 1 to 27 7y14R484w1m7531X
</font></p><p style="margin-bottom: -20"><font size=1 color="#FFFFFF">
Your text 9, note, maximum length of tag is 255 symbols</font></p>
<p style="margin-bottom: -20"><font size=1 color="#FFFFFF"></font></p>

Trick 4:

To obscure a URL, a username is often placed before the hostname. The additional character encoding further complicates readability:

<a href="http://10111001100100101001010101010101010100101100101001100110
001010101001010101001010100101001010101010011001101010101001010100101001
100101010101010101011011010011100110@%68%6B%2E%67%65%6F%63%69%74%69%65%7
3%2E%63%6F%6D/%6C%6F%76%65%67%69%6C%6C%67%69%6C%6C">
<font color="#FFFFFF">Click Here</font></a>

Trick 5:

By using HTML coding, the individual words can be made unreadable for the filters:

Watch Dogs slurp ...

Trick 6:

To split a word and thus trick the filtering process, spaces can also be inserted in font size 0:

V<font size=0>&nbsp;</font>i<font size=0> </font>
a<font size=0>&nbsp;</font>g<font size=0> </font>
r<font size=0>&nbsp;</font>a

Trick 7:

To circumvent the CRC-based filtering method, nonsensical characters are often added to the spam e-mail:

cre crephas wukutugucrovazichonuprixisluwephimajoq

Trick 8:

Letters are often replaced by numbers or accented characters:

V1DE0 T4PE M0RTG4GE

Fántástìç -- eárn mõnéy thrôugh unçõlleçted judgments

Trick 9:

By inserting an entire web page into a JavaScript, the actual text can also be hidden:

<HTML><HEAD><SCRIPT LANGUAGE="Javascript"><!-- var Words="%3CHTML%3E
%0D%0A%3CHEAD%3E%0D%0A%3CTITLE%3E%3C/TITLE%3E%0D%0A%3CMETA
%20HTTP-EQUIV%3D%22Content-Type%22%20CONTENT%3D%22text/html%3B
%20charset%3DBig5%22%3E%0D%0A%3CMETA%20HTTP-EQUIV%3D%22Expires%22
%20CONTENT%3D%22Sat%2C%201%20Jan%202000%2000%3A00%3A00%20GMT%22%3E%0D
%0A%3CMETA%20HTTP-EQUIV%3D%22Pragma%22%20CONTENT%3D%22no-cache%22%3E
%0D%0A%3C/HEAD%3E%0D%0A%3CFRAMESET%20ROWS%3D%22100%25%2C0%22
%20FRAMEBORDER%3DNO%20BORDER%3D%220%22%20FRAMESPACING%3D0%3E%0D%0A
%3CFRAME%20SRC%3D%22http%3A//203.204.53.231/a1_K_2/e12w_k2/a_w_a_0__2k-
1_second%22%20NAME%3D%22AMENU%22%20SCROLLING%3DAUTO%20MARGINHEIGHT%3D0
%20MARGINWIDTH%3D0%3E%0D%0A%3CFRAME%20SRC%3D%22%22%20SCROLLING%3DNO
%20noresize%3E%0D%0A%3C/FRAMESET%3E%0D%0A%3CNOFRAMES%3E%0D%0A
%3C/NOFRAMES%3E%0D%0A%3C/HTML%3E%0D%0A" function SetNewWords()
{ var NewWords; NewWords = unescape(Words); document.write(NewWords);
} SetNewWords(); // --></SCRIPT></HEAD><BODY></BODY></HTML>

When the message is opened, the JavaScript is started and the "HTML mail" is displayed:

<HTML>
<HEAD>
<TITLE></TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=Big5">
<META HTTP-EQUIV="Expires" CONTENT="Sat, 1 Jan 2000 00:00:00 GMT">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
</HEAD>
<FRAMESET ROWS="100%,0" FRAMEBORDER=NO border=0 FRAMESPACING=0>
<FRAME
  SRC="http://203.204.53.231/a1_K_2/e12w_k2/a_w_a_0__2k-1_second"
  NAME="AMENU" SCROLLING=AUTO MARGINHEIGHT=0 MARGINWIDTH=0>
<FRAME SRC="" SCROLLING=NO noresize>
</FRAMESET>
<NOFRAMES>
</NOFRAMES>
</HTML>

(The formatting has been changed for better display.)

Trick 10:

Depending on the browser, URLs can also be encoded to be less obvious:

http://7763631671/obscure.htm
http://0xCeBF9e37/obscure.htm
http://0316.0277.0236.067/obscure.htm
http://3468664375@3468664375/o%62s%63ur%65%2e%68t%6D

Trick 11:

By inserting spaces or other special characters, individual words can also be separated and the filter can no longer search for predefined words such as "Viagra" or "Free":

M O R T G A G E

F*R*E*E V'I'A'G'R'A O*N*L*I*N*E

Trick 12:

Since almost all e-mail clients can display HTML messages, spammers also exploit this. If an e-mail has two parts, an HTML version and a plain text version, usually only the HTML version of the e-mail is displayed. The arbitrary text in the plain text version (text/plain) is intended to confuse the spam filter:

------=_NextPart_001_2D3DF_01C29D73.26716240
Content-Type: text/plain;
The modes of letting vacant farms, the duty of supplying buildings and
permanent improvements, and the form in which rent is to be received,
have all been carefully discussed in the older financial treatises.
Most of these questions belong to practical administration, and are,
moreover, not of great interest in modern times. Certain plain rules,
may, however, be stated. The claims of successors to the late tenant
should not be overlooked; it is better for the tenure to be continued
without break, and therefore the question of new letting ought rarely
to occur.
------=_NextPart_001_2D3DF_01C29D73.26716240
Content-Type: text/html;
<p><b><font face=Arial>Now is the perfect time to get a mortgage, and
we have a simple and free way for you to get started.</font></b></td>

Trick 13:

Text can be split in various ways without changing the correct display. Be it with HTML comments or with incorrect or empty HTML tags:

milli<!-- xe64 -->onaire
Fi</n>nd N</n>ew </n>Fri</n>end</n>s
Vi<b></b>agra
F<XYZ>r<XXYA>ee

Trick 14:

If the message text of a spam e-mail is displayed as a graphic, such as a GIF or JPG, a filter cannot read it:

<html>
<img src="http://www.your-info-station.com/Sla/chalkboard.gif">
<div><a href="http://www.your-info-station.com/Sla/eb.php?x=52c">
<img src="http://www.your-info-station.com/Sla/pitch.gif">
</a></html>

Trick 15:

An "invisible" text is used to try to fool a filter. This can be achieved, for example, with white text on a white background:

<font color="white" size="-1">search words: suspensory obscure
aristocratical meningorachidian unafeared brahmachari</font>