In looking at a SPAM message, we need to also look at the body of the message and some of the things often done to entice, throw off, or fool the recipient into responding. Let’s look at the biggies:
Hidden URLs
Some spammers will make use of various forms of encoding to hide URLs or fool users into clicking on URLs they would not otherwise click on. Many will use IP addresses rather than domain names, thereby obfuscating the potential nature of the target site from the user until they actually visit it. However, one can use the “nslookup” tool on their computer to get the domain itself in many cases (more on this later). Sometimes they will encode the IP address in escaped characters, meaning the ASCII or HTML special character code for the item. Other spammers will use the little-used user ID field of the URL to fool people. For example, sending a browser to “http://www.notspam.com%10.10.10.10/” is, to a browser, the same as going to 10.10.10.10 with a username of “www.notspam.com“. The site will, usually, ignore the user field so therefore there you are staring at 10.10.10.10. Most users, though, would believe they are going to www.notspam.com.
Related, some spammers will make use of other IP ports. Typically internet traffic comes in on port 80, which is used for HTTP transactions. But, if a spammer tries to link you to “www.notspam.com:2000″, then they are routing you to port 2000 rather than 80. If the spammer has some kind of control placed on port 2000 on that server, then you just got “had”.
Two other very common URL tricks are redirectors and deceptive HTML links. There are URL address out there whose only purpose is to redirect to another web address. They can give the click-through URL a legitimate looking name, but clicking on it would route you somewhere else. Lastly, being that much SPAM is in HTML format, they can have a link in the email which is hyperlinked in the traditional blue, underlined text, but actually clicking on the link takes you somewhere else entirely. The way to protect yourself against this is to “View Source” on the message by right-clicking and choosing “View Source”. Look for the HTML
[hidepost=1]
“<a href=”http://realink“>shown link</a>”
, and whatever is in place of the “reallink” text is where you will actually go if you click on that link. This is a common trick in deceptive emails trying to get sensitive information from users. For example, emails that appear to come from Ebay or Paypal will claim to have a problem with your account and need you to click on a link to verify your information. The link and the email will appear official, when viewing source on that email will reveal unrecognized IP addresses. It is very apparent, in these cases, that such emails are deceptive hoaxes designed to get you to give your account information to the spammer.
Javascript in Message Bodies
Some spammers will insert javascript into their messages in order to track users and avoid spam detection. For example, a javascript could be programmed to detect the users IP address, OS and browser and then send back a message which looks like a regular email. Behind the scenes, the spammer just learned a little bit about you. Or they could use javascript to disable the right mouse button on your HTML emails, thereby keeping you from viewing source in the traditional manner. It is, however still pretty easy to view source. You can use the top menu option to view source (if your email client has one), or you could simply save the email as an HTML source file on your computer.
Random Characters
Quite commonly spammers will insert random characters into the subject line or body message so that the message will slip through spam detection. For example, take this subject line:
S’up’er L’ow P’ri’ces For Yo’ur M’ed’ic”ation ! YJOR
Obviously, they are advertising online medication, but with the random characters, they are hoping to keep spam-detection tools from recognizing those common spam keywords such as “low prices” and “medication”. Very lame, but very common. Sometimes they will simply randomly misspell words that are commonly flagged, such as “v1agra” rather than “viagra”.
Email Addresses in Links
Spammers like to know if their emails are being opened by anyone. They also like to know who is opening them. In this way, they can flag your email address as valid and continue to spam it with the knowledge that it is a good address. One way of doing this is to append your email address to any link contained in the email message. It may be either directly appended or appended in URL encoded form. When you click that link, the spammer knows who clicked on it. Another way is to have a zero-size or 1×1 image embedded into the email. The image is not really a simple image but is actually a small script which is taking your email address and updating some database that your email is good.
Personalization
In order to entice you to open their email, the spammer has to trick you into thinking it is legitimate. One way to do this is to address you by name. If they do not have your name, they may use a portion of your email address and see if they get lucky. Another method is to use a subject line which you may think is directed to you. Subjects like “Payment Past Due” or “Important Notice About Your Account” are common. These aren’t really tricks, but more a form of social engineering.
Dirty HTML
Some spammers will take advantage of the fact that some HTML simply does not render on the user’s screen. For example, doing an opening and closing bold tag (“<b></b>”) would not show up to the user. However, injected right into the middle of a commonly filtered word, it may fool some filters into missing it and allow the email through. For example, the word “mortgage” might get filtered, but the word “mort<b></b>gage” might not. Sometimes they may use heavily nested tables which do not show on the user’s screen but may fool the filter. Another trick is to inject bogus text, many times colored the same color as the background, to make the email seem legitimate to filters which weigh the spam score. So, if the body of the email that you see is advertising a low-interest loan, but invisibly it is showing a long diatribe of text which is of an innocent nature, that email may slip through the filters.
Use of Affiliate Sites
In this practice, the spammer may sign up for an affiliate program and then set up their own website to promote it. Then they can spam advertising this website and therefore shield themselves from automatic notice when being reported from spam. The spammer earns a commission on sales, and the company hosting the affiliate program benefits from a large network of resellers. This kind of practice is very common on porn websites. These sites offer galleries of some variety and then provide an affiliate link to a larger website on which you need to pay. Any link in an email which is passing an affiliate ID in it is more likely to be spam.
[/hidepost]
Like what you read?
If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below:
