I came across an interesting type of spam the other day.  Here is a snippet of the headers:

Received: from (87.200.53.223) by TX2EHSMHS013.bigfish.com
    (10.x.x.x) with Microsoft SMTP Server id 14.0.482.32; Wed, 16
    Sep 2009 19:54:05 +0000

Message-ID: <20090917012345.8471.qmail@>

To: "For you" <email@removed.com>

Subject: RE: Pharmcy online (3991)

From: "ci. Doc" <doctor.octopus@removed.com>

Date: Thu, 17 Sep 2009 01:24:04 +0500

MIME-Version: 1.0

Content-Type: text/html; charset="windows-1251"

Content-Transfer-Encoding: 7bit

X-MS-Exchange-Organization-OriginalArrivalTime: 16 Sep 2009
    19:54:05.7315 (UTC)

Pay special attention to the two red portions above.  The first is a message ID which may or may not be faked.  It indicates that the message originated on a qmail MTA and was sent out from it.  The second is the windows-1251 charset, which is the encoding used on older versions of Windows to encode the Russian character alphabet.  Nowadays it is more common to use Unicode or KOI8-R.

What’s so interesting?  Qmail is an MTA that runs on Linux.  Windows-1251 is a charset to encode the alphabet on Windows systems.  Why would a Linux MTA use a Windows encoding character set?

From this, I have a couple of theories:

  1. This is a compromised Linux machine running qmail and the bot is controlled by a Windows machine which sends the compromised Linux/qmail spam.  The spam is created elsewhere and distributed by the above machine.

    The message ID is broken or misconfigured but the local machine is creating it.

  2. This is a compromised Windows machine where the spam is created natively and the qmail Message-ID is fake.  Why a spammer would attempt to spoof the qmail message-ID is unusual, but if it is an attempt to make it look legitimate it is odd that they would try.

I give the spammer points for trying.  In either case above, using the Windows 1251 charset suggests that the spammer is using an older version of Windows and is probably somewhere in eastern Europe, most likely Russia.  It’s kind of an interesting tactic to intermingle operating systems.  I’m not in the Spammer Club so I am not privy to this kind of information, so I am free to speculate.

And sometimes, speculation is fun.