Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Anatomy of a spam

Anatomy of a spam

  • Comments 1

The other day, I got the following spam message in my inbox (junk mail folder, actually):

miaou skoal.
ripe fanny hash tome?
hypo kirk.
griff trow canoe kirk.
fix die dance.
fix coach born hazy?
silky brier mutt wrest.
samp cad wrest adopt?
ahoy pest arc.
arc targe peter puce.

<http://domain_munged.com/?said=g19c>

The payload to the website is obvious, it's a link to a spammy domain.  But why the non-sensical text at the top of the message?

This is a very old spam technique that a former spam analyst I used to work with coined "hash-busting."  The idea is that spam filters will create hashes of spam messages.  When an inbound message arrives, the message is hashed and then looked up in the database.  If the hash is contained within the database, and the hash is associated with a spammy one, then the message is spam. 

Each hash is unique, and if you change the content of the message then you change the hash.  In theory, if a spam filter were using this hash technique then all a spammer would have to do is make small changes to each message, perhaps changing one word per spam, and the spam filter would never be able to catch it.  Different content per message yields a different hash key and therefore a filter could never catch this spam.  It would be forever looking up keys that didn't previously exist, and all of its existing keys would never be seen again.  A spammer could then use the same domain indefinitely but only change the random text in the message.

The other mechanism that this type of spam aims to defeat is Bayesian filtering.  By putting a bunch of garbled text in the message that changes each time, the Bayesian filter never detects anything in the message that it can classify as spam.  The words are neutral and therefore the Bayesian probability engine judges the message as neutral, not as spam.

This type of technique, to my knowledge, doesn't work that well.  Most spam filters use a variety of filters and methodologies to capture spam, and the two types of techniques that it is trying to defeat are not that reliable anyhow.  Antispam vendors have better, more robust ways of catching spam and so the spammer, while attempting to be clever, will have better luck next time.

Leave a Comment
  • Please add 8 and 2 and type the answer here:
  • Post
  • Lately I've been getting the spam that is an image of the ad in which not only allows me to see their poorly targeted marketing message, but I've heard sets a cookie in my inbox so they know it's been opened....Open one of these dreaded spam messages and expect an avalanche of upcoming spam from then on.

    Any way to combat this?

Page 1 of 1 (1 items)