Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: More spam for your inbox SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More spam for your inbox

It's nice to see that all the spam countermeasures that we deploy actually are effective. How do we know that? Well, spammers are constantly trying to exploit new tricks against various spam detection methods, with more or (usually) less success.

One of the latest "tricks" from their bag consists in sending extremely short e-mails in order to starve the decision matrix of the Bayesian classifier.

The sample e-mail below looks like a desperate move by a spammer in order to evade spam detection.

We can see that in the e-mail body there is only couple of words, but there is a ZIP archive as well. In the archive there is a HTML web page, together with some disclaimers(!!). The HTML web page is the actual spam content (this time being some porn spam advertisement with links to PayPal; they're obviously trying to make some money).

The disclaimer is even more interesting:

  XXX Content Warning

  Please read and comply with the following conditions
  before you continue:

  I am at least

And so on. This is probably some kind of legal defense as they are advertising porn web pages.

We've seen two variants of this spam. They are basically similar, but in the other case the ZIP archive is actually password protected and password is listed in the message body. This can cause various e-mail gateways to alerts (as this looks pretty much like a worm).

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS London July 2020


391 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!