August 30, 2003
-
A little extra bored this morning, so I decided to dissect a junk email that had escaped my filter.
It's from that most reputable of companies, teenyfuk.com. It's composed of poorly-formed HTML, and it has img URLs that look like this:
<img src="http://railnetline.com/teenyf-graphic/
images/tf.jpg?ba=teenyf-graphic&bb=MYEMAILNAME&bc=
MYEMAILDOMAIN.com" border="0">
The 'MYEMAILNAME' and 'MYEMAILDOMAIN' were filled in with parts of my email address. So when the images are loaded by my email client, the request it sends to the server encodes my email address as valid. This is why I have 'auto-load images' turned off in my email client.
Also, there's the question: How did it evade my junk mail filter? The answer is this line:
<font size="1" color="#000099">portable titter alertedly cautions marketable RzneXhfrargRzneXzvyr23.pbzRzneX slingshot install lot purging verbose dimensionally olympian random brackish filters abstains malden blameworthy choreograph quakes </font>
It's some random words, to spoof the mail client's Bayesian filter.
But not only that, it's my email address encoded again, in the Rznex... part. I can tell by the '23.' If you're the spammer, and you're reading this, you can decode the above and know my email address right now. It's also possible that the 'random' words aren't random at all, and are keys to whatever encryption method is being used to turn my email address into the Rznex.. part.
So I have to say: As UCE goes, this is pretty sophisticated. Hats off to the evildoers. Now, however, I get to click on my 'This Is Junk Email' button, and add it to the Bayesian filter. Buh-bye.
Also: Why doesn't Xanga preserve the encoded greater-than and less-than that allows me to post HTML to my 'blog? If I try to edit the 'blog after it's posted, I end up looking at < and >, rather than ampersand-lt-semicolon and it's pal...
Recent Comments