Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: More spam for your inbox - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More spam for your inbox

It's nice to see that all the spam countermeasures that we deploy actually are effective. How do we know that? Well, spammers are constantly trying to exploit new tricks against various spam detection methods, with more or (usually) less success.

One of the latest "tricks" from their bag consists in sending extremely short e-mails in order to starve the decision matrix of the Bayesian classifier.

The sample e-mail below looks like a desperate move by a spammer in order to evade spam detection.



We can see that in the e-mail body there is only couple of words, but there is a ZIP archive as well. In the archive there is a HTML web page, together with some disclaimers(!!). The HTML web page is the actual spam content (this time being some porn spam advertisement with links to PayPal; they're obviously trying to make some money).

The disclaimer is even more interesting:

  XXX Content Warning
  .............................................

  Please read and comply with the following conditions
  before you continue:
  .............................................

  I am at least
  21 YEARS OF AGE.

And so on. This is probably some kind of legal defense as they are advertising porn web pages.

We've seen two variants of this spam. They are basically similar, but in the other case the ZIP archive is actually password protected and password is listed in the message body. This can cause various e-mail gateways to alerts (as this looks pretty much like a worm).

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS London February 2019

Bojan

375 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!