[Dshield] Paypal fraud revisited: a question

Stephane Grobety security at admin.fulgan.com
Tue Oct 28 14:53:27 GMT 2003

JD> The text above appears at the end but appears to be invisible, and if try to
JD> type after this paste in I can not see my typing. I am attaching the
JD> original as a example as well. This seems to be another unique way to avoid
JD> spam filters maybe.

Unfortunately, without including the COMPLETE SOURCE of the message,
there is little we can say except making guesses... However, read

JD> I find it interesting  that many of the spams I get lately look like garbage
JD> when I view as text, but if I go to forward and it sets to html, then
JD> suddenly I see another whole different email. Can anyone point me to a
JD> resource where this technique is discussed .

Well, let's start with some references:

and of course, the place you should have started at:

Now a few peices of info about EMail that you seem not to know:

All EMail is pure text message. This is due to the legacy nature of
the service. To work around this, a specific convention, known as MIME
encoding, is used to convert different types of files into 7-bits
ASCII and group them together in the same "text file" (or message).

Each MIME part of a message has a small "header" that indicates what
it is about. This header contains a "MIME type" which identify the
nature of the part (e.g. "text/HTML" or "image/GIF"), the way it is
encoded ("quoted-printable", "base64", et.) and optionally a
name, purpose and other attributes.

By default, when a typical MIME-enabled mail client opens a message,
it will look for a "text/HTML" or "text/plain" part and display that
to the user (which one is checked first depends on the client and on
the user settings). The actual process is a bit more complex because
MIME parts can be nested and related, but the simplification will do
for explaining what's happening.

Now, what is happening to you ? Well, it could be several different
things but the most likely is that the plain text part and the HTML
text part of the message do not contain the same text. The plain text
(which is the second one checked by Outlook [express] by default)
contains a nonsensical stream of English sentences, most likely to try
to avoid detection by bayesian spam filters. The HTML part contains
the actual spam.

Now, if you're willing to learn a bit more about what spamer do (and,
in general, what you get in your inbox), then you should NOT use the
message in any interpreted way but look at the raw message source (In
OE, see Files->Properties and see the "details" tab: there is a
"message source" button there). But warned though: Some spammers like
to encode their plain text/HTML in base64 in order to make tracing
them more difficult. To decode that, a number of software are
available (if you can't find one, contact me off-list, I can provide
you with one).

Good luck,

More information about the list mailing list