A long time ago, I noticed spammers were including rot-13 encodings of email addresses in message bodies.
Things like this: zxrggyre^riv-vap(pbz Which decodes to: mkettler^evi-inc(com Why exactly ^ replaces @ and ( replaces . was never really clear, but this provided a really nice spam sign, and became the basis of SA's EMAIL_ROT13 rule, which looks for the characteristic pattern involving ( and ^. apparently someone's already modified their tactics for this. I found a spam with this IMG tag in it (note: email addresses other than mine replaced with xxxxxxxxx to protect my users) IMG SRC="http://www.pics-4-showMUNGED.com/1.gif?zxrggyre()riv-vap^Hpbz^Sxxxxxxxxxx()riv-vap^Hpbz^Sxxxxxxxxxx()riv-vap^Hpbz^S^S" It's the same basic trick, but now it's being used as a parameter to a web bug. They've modified it slightly so the @ is replaced by () and the is replaced by ^H, but it's much the same. Just wanted to let people know the signature has mutated slightly, and it's being used in HTML tags as well as body text.
