The Ironical Chronicle
May 11, 2003

Otto Hinckelmann

Spam Dissected

Snooping and loansharking for a living

Snoops and loansharks have been around for a long time. But in the electronic era and with the repeal of the usury laws by a congress which knows who they really serve, they have been given vastly increased scope for their particular evils.

The following spam message was received by me on May 10, 2003. Besides the visible content of the ad and its obvious intent to prey on financially desperate individuals, the spammer has buried three invisible messages in the email that he sends out. These hidden messages have been removed so there is no danger that this email will do anything but display on your screen information I hope you find interesting. To forestall getting my name on any more spam lists I've replaced my email address with a fictitious one.

First, here's the (sanitized) ad that the spammer sent to me:

You are receiving this email because you opted-in to receive special offers from Exclusive-Deals through one of our online affiliates.
(bggb5^vk(argpbz(pbz).
If you would like to be removed from this list, please click here.


Here's what's going on in this not-so-innocent email:

  • As soon as I open the email to read it, my email program (Microsoft Outlook Express 6.00) interprets the html of the message as it prepares to display it. It reaches a line in the email that looks like a request to download an image but isn't. Because of a loophole in html, the interpreter does not check that a valid image is being requested.
    For comparison here is an example of a valid image request (a .gif extension on the apicture file is also valid):
    img src="http://64.119.203.69/apicture.jpg"
    But this is what is actually in the message:
    img src="http://64.119.203.69/cgi-bin/view?v=5&m=2531&e=marcus@aurelius.com"
    Outlook sends the pseudo image request to the spammer's server at the IP (Internet Protocol) address 64.119.203.69. The spammer's server decodes the address string in the double quotes and immediately runs the program 'view' in its cgi-bin directory, supplying it with the three parameters v, m, and e. The last one tells the spammer that I have actually opened his message even if I take no other action. This is the electronic equivalent of a registered letter with a return reply requested where the mailman verifies that I actually opened the envelope.
    To complete the spoof someone has to send back a "picture" to satisfy the gullible email software. This is done by the spammer's server. Here is what comes back:
    http://64.119.221.137/ads/rdrct/tracking10.gif
    The tracking10.gif file is a 1 pixel square black dot, which is normally invisible on a monitor.
    What's going on here? Without even being asked, it looks like I gave up valuable information about myself in exchange for a worthless black dot I can't even see! Now that's a rate of profit any capitalist will kill for!
  • There is a character group '(bggb5^vk(argpbz(pbz).' just above the graphic. In the original message the composer made it invisible by making the font color white. I've turned the color to red. I don't know the purpose of this code.
  • The spam's payload: In the original message, if the recipient clicks on the ad two things happen, one visible and the other invisible.
    The mouse click initiates the sending of a message string to the spammer's server. This string contains the name of a program called 'clickthru' resident in the cgi-bin directory there, along with three parameters c, m, and e. In this instance of spam the parameters are, respectively, 887, 2503, and marcus@aurelius.com.
    At any one time the spammer is spamming many ads and the first number tells him which ad I responded to. The number 2503 may be my sequence number on the spammer's mailing list. From this part of the sequence the spammer knows who is responding to his mailings.
    It's important to realize that clicking on the ad sends this information to the spammer automatically, whether or not you actually enter any information later. That's the hidden part. This is valuable information to the spammer. He knows who on his mailing list responds to email ads and what kind of ads they have responded to.
    The visible part is that the spammer's server forwards my request, via the 'c' parameter, to the ad sponsor's server to download the loan application form to my computer.
There's a lot more going on here, e.g., that the spammer and his customer, their servers, and their domain name registrars stretch from Encino and San Diego in California, to Kailua, HI, to Melbourne, Australia. Is this an attempt to make it harder to unearth the entire shady process? It looks that way to me.

At the risk of crossing the threshhold of information overload, here are the particulars on the spammer and his customer for the message I've dissected above. They are:

The Spammer

His Customer
iWay Corporation
6885 Flanders Drive, Ste. G
San Diego, CA 92121
Tel.: 1-858-638-4550		 Synergy Ventures, Inc.
dba LenderGateway.com
P.O. Box 334
16161 Ventura Blvd
Encino, CA 91436
Tel.: 1-818-728-4869