Strange phishing/spam e-mails

Published: 2005-11-16
Last Updated: 2005-11-16 22:08:52 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
Here is the latest update on the following Scenerio.  Thanks to fellow handler Bojan for your great analysis and work on this one!

At the moment I am pretty sure that spammers
were using this "trick" to make users solve CAPTCHA graphics for them. In
this case, I believe they were trying to open new accounts on free webmail (that's a legitimate Russian webmail). When you try to open a
new account on that site ( you will be
presented with a CAPTCHA picture and it's link will be exactly (for

Now, uses sid parameter to identify which CAPTCHA image will be
presented. The image itself will be changed (colors and number positions),
but the string that the user has to enter will remain the same. To test this
just enter the URL above in your browser and refresh couple of times - you
will see how it changes.

Therefore, spammers can build a big table of corresponding SID strings
(probably just hashes) and correct answers which enables them to
automatically open new accounts. This maybe even works on other sites if
they use same programs to generate CAPTCHA images.


We received couple of reports of very strange phishing/spam e-mails.

They all share obfuscated text which is shown properly when rendered as a HTML. In the body of the e-mail the text is always similar to:

"Dear <domain> Member,

We must check that your <domain> ID was registered by real people. So, to help <domain> prevent automated, registrations, please click on this link and complete code verification process."

The link is, of course, hidden in the HTML and the displayed one is different from where the user will go when they click the link.

All of these e-mails use Google redirector techniques in order to defeat SURBL (Spam URI Realtime Blocklists). Some of the e-mails we saw also use multiple redirectors in order to defeat Google's anti-redirector script.

They are also frequently malformed and don't work at all, for example, one of the reports we received pointed to this URL (with spaces added by us to prevent clicking on it):

ht tp://www.go TzA.Com/cgi -bin/p och/redir.cgi?s=<domain>

All e-mails always had recipients domain as the argument to the redir.cgi script. Also, most of the URLs are malformed and won't work (notice characters).

Some of the first e-mails that were submitted pointed to a different domain - This URL was accessible for couple of hours and it didn't seem to do anything - it was probably used to collect IP addresses, or the author is/was still setting things up.
The domain which is used now, is not resolvable, but is registered.

Thanks to Laurent D, Dan W, Guy R!


We received some very nice submissions about this.

First, in order to obfuscate their text, spammers use special Unicode formatting characters. The trick is to use "Right-To-Left Override" (RLO), so any text between two delimiters will be displayed backwards.

From the document at, and received phishing e-mails, we can see that those delimiters are &#8238 and &#8236. The reason for this is simple. Bayesian spam filters which don't render this properly will end up with weird tokens in their databases and the spammer can change tokens frequently (by grouping them).
The second trick (with tab characters in the URL) will work with Google redirectors.
Spammers also used various DNS tricks (round robin DNS entries, if one of their sites goes down they can redirect users to a different site).

The most interesting thing is why? It seems that spammers are trying to open new accounts on free webmail systems. Most of these systems today use CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart - to prevent bots from automatically opening accounts. Spammers use their spam targets to provide them with the data they need.

Thanks to Micha P, Danne, Andew H!

0 comment(s)
Diary Archives