Top Ten spammer tricks

Ten spammer tricks

Open relay

During the Internet's early days, open-relay e-mail servers were designed to allow a third party to pass messages through closed mail systems. Still used in some legitimate business operations today, an open-relay server can process a message between a sender and receiver who are not local users. The chance to use an e-mail server that may be distantly located from the sender and receiver offers spammers some address camouflage, although tracing them isn't impossible. Hijacking an open-relay server via the Internet is also attractive to spammers as they can use someone else's resources to send a mass of e-mail at a lower cost than using their own network.

Creative HTML

In blocking spam that is designed in HTML format, most spam filters recognise the special characters and formatting of HTML. However, some spammers have taken advantage of the flexibilities of HTML to write commonly detected words in ways that filtering software fail to recognise as spam. An example might be typing the word 'mortgage' to appear vertically, with each letter underneath the other. The advantage for spammers is the HTML e-mail can display words written like this in their normal horizontal form, thus presenting an easy-to-read message. Spam filters then need to understand how HTML is displayed to the user, not just scan the HTML code.

Image-based

Simple, yet difficult to detect. A spammer may send an HTML message without words, but the image will contain the spammer's message.

MIME

A two-part Multipurpose Internet Mail Extensions (MIME) encoded message can also be an effective tool for spammers. The plain-text portion may look like legitimate mail, and be accepted by the filter. However, the HTML portion shown to the recipient contains the spammer's message. To combat this, spam filters must check whether text and HTML portions of two-part MIME messages are the same.

JavaScript

Spammers can send HTML messages with spam contained in a JavaScript that will only display the spam once the e-mail is loaded. To prevent this, filtering software needs to decode or block JavaScript.

Different headers, same spam

Another simple yet prevalent technique, spammers are sending the same e-mail content with different headers to increase their chances of bypassing filtering software.

Confusing encryption

In the business world, encrypted e-mails are often scrambled as a string of meaningless symbols and characters. Spammers have tried to replicate this by including lines of random characters in their messages. Filters may read this as encryption and accept the e-mail as coming from a trusted source.

Alternative spelling

Perhaps the most common method for spammers to bypass filtering software is by spelling words incorrectly. Two common products sold by spammers could be spelt 'V1agra' and 'M0rtg4ge', and go unrecognised as the commonly blacklisted words, while remaining readable.

Acting as a trusted source

A recent virus distributed across the Internet purported to be from the @msn.com domain. While many filters should have detected the virus and quarantined it accordingly, the message could have been effective spam. By including domains, IP addresses or phrases from commonly trusted online sources such as vendors or Internet registries, spammers take advantage of filter or individual user settings that may accept mail containing the addresses of those trusted sources.

URL encoding

This HTML trick was used to target customers of Australian banks this year. A spammer can send e-mail that does not push its message and is rightly accepted by filters. Instead, the spammer's message, or Web site, is encoded in a link which displays in the e-mail as a commonly accepted wording or address; for example, 'click here' or 'ANZ Bank online'. The URL of the spammer's Web site will often determine the difficulty of filtering this sort of spam.

• Bookmark this page
• Share this article
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email Computerworld
• Follow Computerworld on twitter

Comments