May 11, 2003
Snooping and loansharking for a living
loansharks have been around for a long time. But in the electronic era and
with the repeal of the usury laws by a congress which knows who they
really serve, they have been given vastly increased scope for their
The following spam message was received by me on May 10, 2003. Besides
the visible content of the ad and its obvious intent to prey on
financially desperate individuals, the spammer has buried three invisible
messages in the email that he sends out. These hidden messages have been
removed so there is no danger that this email will do anything but
display on your screen information I hope you find interesting. To
forestall getting my name on any more spam lists I've replaced my email
address with a fictitious one.
First, here's the (sanitized) ad that the spammer sent to me:
|You are receiving this email because you opted-in to receive
special offers from Exclusive-Deals through one of our online
you would like to be removed from this list, please click
Here's what's going on in this not-so-innocent email:
There's a lot more
going on here, e.g., that the spammer and his customer, their servers, and
their domain name registrars stretch from Encino and San Diego in
California, to Kailua, HI, to Melbourne, Australia. Is this an attempt to
make it harder to unearth the entire shady process? It looks that way to
- As soon as I open the email to read it, my email program (Microsoft
Outlook Express 6.00) interprets the html of the message as it prepares
to display it. It reaches a line in the email that looks like a request
to download an image but isn't. Because of a loophole in html, the
interpreter does not check that a valid image is being requested.
comparison here is an example of a valid image request (a .gif extension
on the apicture file is also valid):
But this is what is actually in the message:
Outlook sends the pseudo image request to the spammer's
server at the IP (Internet Protocol) address 126.96.36.199. The
spammer's server decodes the address string in the double quotes and
immediately runs the program 'view' in its cgi-bin directory, supplying
it with the three parameters v, m, and e. The last one tells the spammer
that I have actually opened his message even if I take no other action.
This is the electronic equivalent of a registered letter with a return
reply requested where the mailman verifies that I actually opened the
To complete the spoof someone has to send back a "picture"
to satisfy the gullible email software. This is done by the spammer's
server. Here is what comes back:
tracking10.gif file is a 1 pixel square black dot, which is normally
invisible on a monitor.
What's going on here? Without even being
asked, it looks like I gave up valuable information about myself in
exchange for a worthless black dot I can't even see! Now that's a rate
of profit any capitalist will kill for!
- There is a character group '(bggb5^vk(argpbz(pbz).' just above the
graphic. In the original message the composer made it invisible by
making the font color white. I've turned the color to red. I don't know
the purpose of this code.
- The spam's payload: In the original message, if the recipient clicks
on the ad two things happen, one visible and the other invisible.
mouse click initiates the sending of a message string to the spammer's
server. This string contains the name of a program called 'clickthru'
resident in the cgi-bin directory there, along with three parameters c,
m, and e. In this instance of spam the parameters are, respectively,
887, 2503, and firstname.lastname@example.org.
At any one time the spammer is
spamming many ads and the first number tells him which ad I responded
to. The number 2503 may be my sequence number on the spammer's mailing
list. From this part of the sequence the spammer knows who is responding
to his mailings.
It's important to realize that clicking on the ad
sends this information to the spammer automatically, whether or not you
actually enter any information later. That's the hidden part. This is
valuable information to the spammer. He knows who on his mailing list
responds to email ads and what kind of ads they have responded
The visible part is that the spammer's server forwards my
request, via the 'c' parameter, to the ad sponsor's server to download
the loan application form to my computer.
At the risk of crossing the threshhold of information overload, here
are the particulars on the spammer and his customer for the message I've
dissected above. They are:
6885 Flanders Drive, Ste.
San Diego, CA 92121
|Synergy Ventures, Inc.|
16161 Ventura Blvd
Encino, CA 91436