-----BEGIN PGP SIGNED MESSAGE----- I sent this to sightings as well, but thought it was interesting enough to pass along to the main list as well. Never mind that the guy who caught it was being a little paranoid, it's still an interesting look at what spammers are doing to avoid detection.
Is anyone working on code that would properly reassemble the "main" text in such an email? - -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | =----------------------------------+------------------------------- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.gslis.utexas.edu/~shanew - ---------- Forwarded message ---------- Date: Thu, 4 Apr 2002 12:42:07 -0800 From: John Sage <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: *****SPAM***** [Snort-users] Subliminal html in spam? I sent this first to the intrusions list, and then I went back and looked at some more html-formatted spam I've received lately, and I've got at least four more like this. This is odd enough that I'd like to get some more eyeballs on the question to see if _anyone_ has an answer as to what the hell's going on here. What this is, is text embedded within html comment tags that are embedded within the body text of the spam itself. This one example, below, is prattling on about movies and The King and Siam and Jody.. ..another one completes a passage about Jody Foster, and a third (I am_not_ making this up..) has "Mary had a Little Lamb" embedded in it. All embedded within comment tags, within the body text. WTF? - ----- Forwarded message from John Sage <[EMAIL PROTECTED]> ----- OK: I really know I haven't seen everything yet, particularily when it comes to spam, but here's one for the books. What does anyone think is going on, here? What is we have is text embedded withing <!-- --> html comment tags that is embedded withing the actual visible text of the email html is munged so that the html code is surrounded with [ ].. [font face="Arial" size="4"] Takeover Tar[!--Check out--]get A[!--the movies--]lert Pro[!--more--]jected [/font] [font face="Arial" size="4"] By Institutional Research Firm to Reach $[!--often--]7.00! [/font] [font face="Arial"] SY[!--The King--]MBOL: (O[!--Anna--]TC[!--and--]BB: SN[!--of--]NW) [/font] [font face="Arial"] S[!--Siam--]TR[!--was an--]ONG [!--The King--]BU[!--excellent--]Y/AG [!--movie--]GRE[!--both--]SSIVE G[!--The original--]RO[!--Tand the--]WTH [/font] [font face="Arial"] R[!--She has--]EC[!--a son--]ENT PR[!--redo--]ICE: $.40 [/font] [font face="Arial"] LI[!--The King--]NCOLN EQU[!--with--]ITY RESEARCH 12-MONTH TA[!--Jody--]RGET: [/font] So the explicit text reads: "Takeover Target Alert Projected By Institutional Research Firm to Reach $7.00 SYMBOL: (OTCBB: SNNW) STRONG BUY/AGGRESSIVE GROWTH RECENT PRICE: $4.00 LINCOLN EQUITY RESEACH 12-MONTH TARGET:" and the embedded text within the comment tags reads: "Check out the movies more often The King Anna and of Siam was an the King excellent movie both The original Tand the She has a son redo The King with Jody" I'm at a complete loss to explain this... - - John - -- In those days, you could not buy a $2000 200MHz Pentium server. - ----- End forwarded message ----- _______________________________________________ Snort-users mailing list [EMAIL PROTECTED] Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPK+jxWa83yV7vGjZAQHa3AQAlnOK34RgaGlOPbhdoNr88vV2mdBNGelS 3Yt4UaPpKw/or0+rI93TnfBJ7afkbY3uCQtyy3uhgvRwtYHWgsbh8ke5kqfWQci8 kpmpxUFEmdxcVBmOOJt+Pk7t4+MTP+TekFwoBd3SnHGX+Srpntv1r+bmJETj8zCr KuRLlKILPiI= =FIKn -----END PGP SIGNATURE----- _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
