Stealthed Spam, Redux!

I originally covered this back in October of 2007, but things have, as usual, recently repeated themselves, the spammers that is. This time the stealthed spam is different as new approaches and techniques have been used. However, a quick recap of what I mean by stealth.

"Here's an interesting trick that the spammers are increasingly using to defeat not only software and hardware anti-spam defences but also "wetware" anti-spam defences; wetware is the geek/nerd term for you, dear reader, the interface between the chair and the keyboard. ;-)

Stealth is not a new idea, computer viruses and other malware have been using technique to hide since the very beginning of the problem on IBM and compatible PCs. In fact the very first virus on this platform 'Brain' used stealth. Also, most of you are aware that stealth is widely used by the military, not only to make warplanes invisible [or almost] to radar and other tracking technologies, but also warships."

So, now you know what I mean by stealth, so what does stealth spam look like, well guess what, you can't see it at first as it is stealthed [hidden], here's some recent examples so you can see what I mean:

The first one claims to be from 'Media Inc.':



The second one claims to be from 'Windows Live Hotmail':



The third and final one claims to be from 'A Credit-Card Company':



With all of the above examples, all the URLS [web-links] used in the e-mail point to the spammy site and the To and From e-mail address used tends to be the same, that being yours! All the text is probably taken from real newletters/e-mails/websites. These e-mails pass the tests that most of us use to decide if something is spam or not, in other words they pass the 'Eyeball' test fairly easily as they look like genuine e-mails from real companies. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what do they look like when I enable 'allow remote images' in the e-mail program?

They look like this:







Yes, you aren't seeing double, the second and third example produce the same result when viewed in an HTML capable e-mail reader or web browser.

Now they all fail the 'Eyeball' test with ease.

Why do I call these 'Stealthed Spam'? Well, simply because the spam component is hidden and not in plain view.

The final screenshot shows part of the HTML source of the final example shown above when it is only showing the image:



You can clearly see the other HTML, which doesn't get shown when rendered in a browser or a HTML e-mail reader.

As they say "Keep 'em peeled!", which means keep your eyes open and stay alert. Or, as other might say, "don't believe everything you see or read", it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!