I came across an interesting type of spam the other day. Here is a snippet of the headers:
To: "For you" <email@example.com>
Subject: RE: Pharmcy online (3991)
From: "ci. Doc" <firstname.lastname@example.org>
Date: Thu, 17 Sep 2009 01:24:04 +0500
Content-Type: text/html; charset="windows-1251"
X-MS-Exchange-Organization-OriginalArrivalTime: 16 Sep 2009 19:54:05.7315 (UTC)
Pay special attention to the two red portions above. The first is a message ID which may or may not be faked. It indicates that the message originated on a qmail MTA and was sent out from it. The second is the windows-1251 charset, which is the encoding used on older versions of Windows to encode the Russian character alphabet. Nowadays it is more common to use Unicode or KOI8-R.
What’s so interesting? Qmail is an MTA that runs on Linux. Windows-1251 is a charset to encode the alphabet on Windows systems. Why would a Linux MTA use a Windows encoding character set?
From this, I have a couple of theories:
I give the spammer points for trying. In either case above, using the Windows 1251 charset suggests that the spammer is using an older version of Windows and is probably somewhere in eastern Europe, most likely Russia. It’s kind of an interesting tactic to intermingle operating systems. I’m not in the Spammer Club so I am not privy to this kind of information, so I am free to speculate.
And sometimes, speculation is fun.
please add me to a spider because I scam people email@example.com