3

I have been getting a lot of SPAM lately that have some type of encoded block added to the end. I am wondering if anyone here would know how to decode it. Here is an example:

<467>3zunORiRd$ss0,szI3s8[dznAsSsiRd$ss0,szI3$F$dn83F9,$dzOFAiRd$ss0,szI3s8RmHvHmm%iRd$ss0,szI3$Fs9sAF?$[3FiRd$ss0,szI3AdN[=0SF?[=m2iRd$ss0,szI3$AFFmQQz|$iRd$ss0,szI3sAF83miRd$ss0,szI3[zs3$R][8 vfqfiRd$ss0,szI3sR?FOOiRd$ss0,szI3sAAF=zdA3[8Q%iRd$ss0,szI3]u9umWiRd$ss0,szI3S3zd86QQQiRd$ss0,szI3$FAF=dz,,diRd$ss0,szI3[__d8R][SSzFRFAiRd$ss0,szI3sOF=%iRd$ss0,szI3[8]FAPOFSSP%viRd$ss0,sz<764>

Adi
  • 43,808
  • 16
  • 135
  • 167
happycamper
  • 31
  • 1
  • Not really a duplicate but very similar, I suggest you read this question: http://security.stackexchange.com/questions/12589/what-is-the-point-of-spam-like-this/12592#12592 – Lucas Kauffman Apr 20 '13 at 18:10

2 Answers2

3

There is probably nothing to decode there. Spammers are engaged in a continuous war with antispam filters so they try to include in their spams some "text" which will make some antispam filters think that it is not really spam after all. It is probable that there is, out there, one antispam software (at least) which currently gets fooled by such extra characters (that is, until it is updated, probably some time next week).

That's the reason many spam include large excerpt of random news or wikipedia article. Here, you observed yet another variant.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
0

I'll add to @Tom Leek's answer with a bit more specifics on how one of the most common open spamfilter on the market (spamAssassin) checks whether something is spam. At the core of it, it is a simple set of rules (the default ones for the latest spamd version can be found at http://spamassassin.apache.org/tests_3_3_x.html ), some with very simplistic checks. Take, for example, the rule that your specific spam message might try to get past if there is an image in the email (spammers tend to know how to use beacons):

HTML_IMAGE_ONLY_32: HTML: images with 2800-3200 bytes of words

(I have seen very similar emails to the one you mentioned with a beacon - a 1x1 invisible png hosted on a remote server, used to know if you've opened the email)

The specific one is not necessarily a case of Bayesian poisoning as only terrible spamfilters register a 5-line-long word as a word. It is simply attempting to buffer content - as some spamfilter rules work on the "very short (unsolicited) email = bad" rule.

In addition, certain spamfilters are also configured to dilute the penalty scores (spampoints). This is not the case for most servers, as it is typically a very bad idea, due to the very reason highlighted above: by padding enough "good" words, you can turn a +10 spam score into a +0.5 spam score. This is trivial - copy-paste from wikipedia.

Sébastien Renauld
  • 685
  • 3
  • 8
  • Very interesting information on how spam filters work. Thanks. I am always thinking of more nefarious and advanced ways the spammers might be trying to operate. Like embedding within the email itself an encrypted block of information that identifies the recipient in the cases where the recipient forwards the spam to a spam reporting organization, like SpamCop. While SpamCop will redact the recipient's email address they will not remove the encrypted information. Or am I just over thinking this whole process? – happycamper Apr 20 '13 at 23:44