Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Interesting Home Depot Spam - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Interesting Home Depot Spam

We get a ridiculous amount of Spam at the Internet Storm Center.  Most of it is mundane and is promptly ignored, but every once in a while one comes in that gets your attention for being different.

Today we received the following Spam email:

At first glance it looks like yet another run of Home Depot Spam. It isn't very sophisticated and isn't likely to fool many.  The usual spelling mistakes and broken English. They didn't even bother to link in Home Depot's logo. By the time I received it both of the URLs in the message were dead, so I wasn't able to measure what its intent was.

What makes it interesting then? If you look very carefully in the orange bar there is text.  That text and the contents of the message contain what seems to be a rather good recipe for lettuce salad:

***************

* tablespoons olive oil
* 1 12tablespoons fresh lemon juice
* 1tablespoon red wine vinegar
* 2garlic cloves, minced
* 1teaspoon dried oregano(Mediterranean is best)
*
** Salad
------------------------------------------------------------
* 1head lettuce, torn into bite-size pieces ((I use Romaine)
* 3large plum tomatoes, seeded and coarsely chopped
* 1English cucumber, peeled and coarsely chopped (the long, thin, almost seedless ones)
* 1medium red onion, cut into thin rings and soaked for 10 minutes in a small bowl of ice water to make it less sharp
* 1small green pepper, cut into thin rings
* 34cup kalamata olive
* 34cup crumbled feta cheese

We think that you will enjoy this. 

1. Seed the bell peppers and cut them into 1-inch chunks. Stem the cherry tomatoes and halve one-half of them, leaving the others whole.
2. Peel and thickly slice the cucumbers, and thinly slice the red onions. Cut the feta cheese into 1-inch cubes. Crush and mince the garlic clove.
3. In a large bowl, combine the bell peppers, tomatoes, cucumbers, onions, feta cheese, olives, anchovies and capers and toss together.
4. In a small bowl, whisk together the vinegar, garlic, dill, oregano, salt and pepper. While whisking, slowly drizzle in the olive oil to make a thick dressing.
5. Pour the dressing over the salad, toss and serve now.
This is the most delicious salad - fresh and wonderful-tasting. FYI, lettuce can very much be a part of any greek salad - if you want it to. We like lettuce in my family and I often add it. It would not be 'authentic' in a Horiatiki (village) salad, but who cares?

*****************

Why?

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

284 Posts
ISC Handler
Any time you have a lot of white space check the View Source. It's usually white text on white background so the anti-spam computers will read it but people won't see it. It's a pretty old trick to bias the filters into thinking it's legit. Usually current news stories are used. I've never seen a recipe before either.
Anonymous
We just got this one but they screwed up and it came through as text instead of HTML. "After working one day" is probably what was supposed to be white-on-white at the bottom of the message as well as the "Rep." text scattered within:

Hello Kohl's Shopper
We'd like to reward you for your patronage.
It only takes a minute to begin shopping with OUR money Visit Us Now
Kohl's Bonus Number #
REP. TREY GOWDY the chairman of the congressional committee probing the Benghazi terror attacks formally asks that Hillary Clinton turn over her personal server for review, warning that if Clinton won't comply, he will tell House Speaker John Boehner so he can use the 'full powers' of the House to take the 'necessary steps.'

To cease all future communications from JTC , please goto ---> Leave Us At Once
Eighteen Brige St. Apt:One-F
Naugatuck, CT Zero Six Seven Seven Zero

After working one day as a substitute teacher in Illinois, David Piccioli could be entitled to an annual pension of more than $30,000.

And he's suing the state to make sure he gets paid.
Piccioli is a retired union political activist who's already pulling down a pair of state pensions from Illinois' beleaguered public retirement system. But he's taking the Teachers Retirement System to court to squeeze more money out of the state.
The Chicago Tribune reported Thursday that Piccioli is already collecting $31,000 annually from the Teacher Retirement System, but he could get an additional $36,000 annually if he wins his case. He's also collecting a $30,000-pension from a different state retirement system for his time as a legislative aide in Springfield, according to the Tribune.
Piccioli is a retired lobbyist for the Illinois Federation of Teachers and never worked in a classroom, but he took advantage of a loophole in Illinois pension law to score his teaching pension.

In 2007, he worked one day as a substitute teacher at a Springfield school. Under Illinois pension law, that one day in the classroom allowed him to qualify for a pension that would pay him for all of his years of work as a member of the union.
Anonymous
You are absolutely correct that the trick of adding text into Spam is relatively common to attempt to bypass Spam filters. I have seen random text, ipsum lorem, current news (almost always U.S. based), but never a salad recipe. (-8

I also agree that this was most likely a screw up on the part of the Spammers. They never intended that text to be visible.

I received that exact Kohl's run today as well on my personal email.
Rick

284 Posts
ISC Handler
Overload the bayesian filters with tasty vegetable words to make the message seem legit!

It's fun to see all the old tricks are new again, I hadn't seen this approach for several years.
Paul

44 Posts

Sign Up for Free or Log In to start participating in the conversation!