Ten spammer tricks
During the Internet's early days, open-relay e-mail servers were designed to allow a third party to pass messages through closed mail systems. Still used in some legitimate business operations today, an open-relay server can process a message between a sender and receiver who are not local users. The chance to use an e-mail server that may be distantly located from the sender and receiver offers spammers some address camouflage, although tracing them isn't impossible. Hijacking an open-relay server via the Internet is also attractive to spammers as they can use someone else's resources to send a mass of e-mail at a lower cost than using their own network.
In blocking spam that is designed in HTML format, most spam filters recognise the special characters and formatting of HTML. However, some spammers have taken advantage of the flexibilities of HTML to write commonly detected words in ways that filtering software fail to recognise as spam. An example might be typing the word 'mortgage' to appear vertically, with each letter underneath the other. The advantage for spammers is the HTML e-mail can display words written like this in their normal horizontal form, thus presenting an easy-to-read message. Spam filters then need to understand how HTML is displayed to the user, not just scan the HTML code.
Simple, yet difficult to detect. A spammer may send an HTML message without words, but the image will contain the spammer's message.
A two-part Multipurpose Internet Mail Extensions (MIME) encoded message can also be an effective tool for spammers. The plain-text portion may look like legitimate mail, and be accepted by the filter. However, the HTML portion shown to the recipient contains the spammer's message. To combat this, spam filters must check whether text and HTML portions of two-part MIME messages are the same.
Different headers, same spam
Another simple yet prevalent technique, spammers are sending the same e-mail content with different headers to increase their chances of bypassing filtering software.
In the business world, encrypted e-mails are often scrambled as a string of meaningless symbols and characters. Spammers have tried to replicate this by including lines of random characters in their messages. Filters may read this as encryption and accept the e-mail as coming from a trusted source.
Perhaps the most common method for spammers to bypass filtering software is by spelling words incorrectly. Two common products sold by spammers could be spelt 'V1agra' and 'M0rtg4ge', and go unrecognised as the commonly blacklisted words, while remaining readable.
Acting as a trusted source
A recent virus distributed across the Internet purported to be from the @msn.com domain. While many filters should have detected the virus and quarantined it accordingly, the message could have been effective spam. By including domains, IP addresses or phrases from commonly trusted online sources such as vendors or Internet registries, spammers take advantage of filter or individual user settings that may accept mail containing the addresses of those trusted sources.
This HTML trick was used to target customers of Australian banks this year. A spammer can send e-mail that does not push its message and is rightly accepted by filters. Instead, the spammer's message, or Web site, is encoded in a link which displays in the e-mail as a commonly accepted wording or address; for example, 'click here' or 'ANZ Bank online'. The URL of the spammer's Web site will often determine the difficulty of filtering this sort of spam.