Thursday, 7. July 2005
PermaLink Road Kill
Odysseus Askew wrote me a little note yesterday and I couldn't read it.

The email looked like - well, see for yourself:

You've got mail!


On examining the MIME source, things got even odder. In a correctly formatted MIME message, there is always a blank line after the headers and before the content. No blank line here. Just a load of headers and then straight into:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>...

Looks like a simple HTML page. Let's save it as *.htm (sans the leading MIME headers) and open it in a browser * (having checked first for the absence of any <OBJECT> or <IFRAME> tags - do not try this at home):


Not mail at all as it happens


There's more. That http://removed link (which I have removed for your comfort and safety) was alive and kicking and pointing to a .txt file on a web server presumably under the control of the spammer.

The salient features (well, first few lines) of the .txt file.

Subject: Your Medzz
Date: Wed, 6 Jul 2005 10:35:02 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
		 boundary="----=_NextPart_000_0034_01C58240.465DD700"
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

------=_NextPart_000_0034_01C58240.465DD700
Content-Type: text/plain;
		 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello, 
carry it to Spain for him?  Well, that is a family matter betweenThat Latin =
line, contemptuously flung after them as they clatterednever at their =

... yada yada yada

We see here:

  1. The missing MIME headers, including Subject (the broken email as delivered had no subject line) and Date (the date header in the spam itself was written by Domino when no date header was provided in the message)
  2. Hold the 'phone - X-Unsent: 1
  3. The required blank line after headers and before content
  4. The entire spam body comprising a garbage plain text part (attempted filter buster) and an HTML part containing the message

The only headers present in the spam itself, before X-MIMETrack added by my Domino server, were:

Received: from gct.com ([60.240.159.179])
          by my.domino.host (Lotus Domino Release 6.5.4)
          with SMTP id 2005070616291440-4710 ;
          Wed, 6 Jul 2005 16:29:14 +0100 
From: "Odysseus Askew" <Odysseus[at]gct.com>
To: "Gabr Tompkins" <me>

That Received line was also written by my Domino server, so the only headers directly created by whatever software was running at 60.240.159.179 ** at the time were From and To.

This provides us with an unusual insight into how some spamware (the zombie home PC kind) works.

Prepend those From and To headers to the .txt file from the spammer's web server and you have a complete spam (in this case touting a dodgy Internet pharmacy). The zombie spamware thus appears to listen for two or three very small pieces of information from whoever is controlling it:

  1. From (obviously spoofed, and may be generated locally rather than being provided by the spammer)
  2. To (a list of unsuspecting victims - in this case, including me) and
  3. an http location where a message may be found and, presumably, changed at will be the spammer

Having retrieved the .txt file from the given location and prepended From and To the first victim, the spamware then sends the whole thing to that victim direct-to-MX and moves onto the next.

Sadly for the spammer in this case the ISP providing connectivity services to the compromised PC is also transparently providing a web caching service (to speed up web access - who knows?) using a squid proxy. The squid proxy failed to load the .txt file from the spammer's http location when asked, either due to some transient network failure condition or perhaps because it recognised something nasty, and refused to serve it.

So instead of the .txt file, the spammer's zombie spamware merges an HTML error page with its From and To headers and in so doing gives us a fascinating and unusual glimpse into its inner workings.

* NOT MSIE
** belonging to TPG Internet, an Australian broadband service provider

See also:
X-Unsent: 1



Category: Spamatomy
Technorati:

Comments :

1. Richard Schwartz08/07/2005 02:31:39
Homepage: http://www.rhs.com/poweroftheschwartz


Great analysis. I've seen messages like that, but never thought through how they might have been created.

-rich



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2008
2008
2008
2008
2008
Full Archive
Links
CircleID
Anti-Spam Tools
Misc Links
Land banking information
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments