Anatomy of a Spam Email and New Techniques Being Used to Evade Detection – Part I
As what probably some would think is an odd hobby, we collect and analyze spam in our spare time. What is interesting about looking at the nuts and bolts of spam campaigns is the ever changing techniques that are used to evade detection. There are all kinds of digital weapons deployed to identify and stop spam. All the way from sophisticated algorithms that ISPs use down to simple client-side signature based software on your grandpa and grandma’s home computer.
There are spam campaigns to promote erectile dysfunction pills, various over the counter or difficult to get medications, any type of ecommerce product ever created, travel vacation and cruise scams, payday loans, porn / adult content and the more nefarious spearphishing campaigns. Some spearphishing campaigns come with embedded links to hidden payloads containing ransomware or malware. While other spearphising emails aim to harvest / steal your credentials to your email, banking, or any other online or social media account. Below is an example of a spearphishing email attempting to steal the credentials to an Apple ID account.
This above Apple related spearphishing attempt has a number of interesting features that helps it bypass spam filters. One is that the “L” in apple for this particular spam is actually a capital “i” but uses a font that makes it nearly impossible to tell. Second it uses some fancy code in the From: field to make sure the user only sees the word “Apple” (in this case Appie) in the from box even though the sending email is clearly not from Apple.
This is what a normal from field should look like:
From: Google Alerts <firstname.lastname@example.org>
Below is a another spam email that we recently received in one of our many honeypot inboxes. It is an email promoting international matchmaking with Russian and Ukrainian women. Obviously, this spam campaign is aimed at men and aims to promote the idea of international brides. So for the purpose of brevity I will avoid getting into the exploitative nature and social commentary on this type of business.
Whether this particular business is even legitimate is not really the point of this article … and in fact we spent really no time trying to determine whether the business / site being promoted was even an actual company and have redacted the business website. As we lay out the building blocks of this particular spam campaign here and in part II, it will become quite obvious that one should “run not walk” away from anything promoted in this email.
The first component of any spam email is what is found in the header section. Most email clients have a tab that allows you to look behind the scenes of an email and see some of the code and metadata. Here is an example of where to find the header information and raw source metadata of a spam email if you are Mac user.
When we look at the raw source data of the Russian international bride spam we immediately see that the sender domain does not match the public facing domain of the spam email. That is always the first red flag and for a less sophisticated user this is the easiest first step to look at in case you are suspicious about a particular email.
The sending domain of this spam email, indicated by the red arrow, is red2copprr[.]us and the sending IP address, indicated by the blue arrow, is 176.10.250[.]145. This sender’s IP address maps to the ISP, Bahnhof Internet, in Kista, Sweden. As everyone knows, the sender IP address can be spoofed so where this is mapped to certainly isn’t conclusive proof of anything. More on this in part II. Next we look at the subject section of the raw code below and see suspicious looking embedded PHP links and a big chunk of whitespace as indicated by the red arrow.
This is followed by a large section of random text with no obvious words that could be flagged by a spam filter. It is a little curious their use of injecting “c” characters in certain places and replacing other letters in some words with periods. Not exactly sure what specific algorithmic filter this is trying to defeat. However, the use of random lengths of whitespace and random chunks of scrambled text serves two purposes. It makes it difficult for normal spam filters to flag this as spam based on textual parameters such as certain words, the ratio of words to images, and other common flags. It also defeats filters created to detect the size of the spam email and percent identity to similar emails or even other emails sent out from this same campaign. So already there are multiple methods coded into this email to help it defeat spam filters.
So where is the raw code section that actually generates the public facing text in the email shown in figure 2? Well this is the interesting part and something we only started seeing within the last year. In the original email all the text can be selected and copy and pasted so we knew it wasn’t just an embedded image. Incidentally this would create a very low text / image ratio and is itself a red flag. Instead, what has been done in this email and many of the spam emails we have collected this year is the use of base64 encoding all the text. Generally this is only done for images and to be honest up until this year I didn’t even know most email clients could handle base64 encoding and decoding using the Content-type: text/html designation. So what happens is the spammers take their text and encode it using base64 encoding and place the block of scrambled alpha-numeric characters into the email and essentially the two code directives indicated by the red arrow tell your email client to decode this block into the actual text when you load up this email to actually read it. A spam filter sees the raw code below and again would not be able to flag anything based on obvious spam words like “Russian” or “Ukrainian girls” or “your perfect mate”.
Below is an example from Wikipedia [https://en.wikipedia.org/wiki/Base64] of how this base64 encoding of a paragraph of text from Thomas Hobbes' Leviathan would work.
So once again another level of spam construction meant to evade spam filters. In our part II article tomorrow, we will delve into who might be responsible for this campaign.