In the Usenet newsgroup alt.computer.security, in article
<ItX1f.19668$q81.7919@trnddc06>, phishee wrote:
> What's the purpose of those semi-coherent or blank body e-mails that
> slip past spam filter's? Are they just looking for a reply
> acknowledgment, thus verifying a valid e-mail account?
Learn how mail is transported over the Internet. Your mail tool or
browser contacts your ISP's mail server. Spammers, viruses and 'bots tend
to bypass this step and try to contact the destination mail server direct.
Your ISP's mail server contacts the mail server at the destination, and
the two have a conversation that goes something like (paraphrased from
RFC0821 and RFC2821)
A: Hello B - my name is mail.example.com
B: Hello mail.example.com, pleased to meet you
A: I have mail from
WxGhkfa@abc.def
B: <WxGhkfa@abc.def> Sender OK
A: Mail goes to
Sucker@foo.com
B: <Sucker@foo.com> Recipient OK
A: Mail goes to
Another.fool@foo.com
B: <Another.fool@foo.com> Recipient OK
A: Mail goes to
Still.another@foo.com
B: <Still.another@foo.com> No such user
A: Mail goes to
Still.another.fool@foo.com
B: <Still.another.fool@foo.com> Recipient OK
A: Mail Begins
B: Enter mail, end with "." on a line by itself.
A: To: The Name you See in the To: header
A: From: The Name you See in the From: header
A: Subject: An offer you can't live without
A: Date: some.random.date/time
A:
A: Buy stuff from me at
http://some.wankers.URL
A: .
B: OK, I got it
A: So long, sucker
A couple of points here. Note that the "I have mail from" (called the
envelope sender) and the 'From:' line (the body sender) have nothing to
do with each other. The same is true for the "Mail goes to" lines,
which (unless there is only one) never shows up in the mail you receive.
When there are multiple "Mail goes to" lines, each one gets the exact same
body - and the name in the "To:" line has nothing to do with delivering
the spam. The "From:" and "To:" lines can actually be missing, and the mail
will still be delivered to you - a function of that "Mail goes to" line.
See
http://www.stopspam.org/email/headers.html if you want to learn more
about the real headers in the mail.
Now, the blank body isn't really considered blank, because what you see
in the To:, From:, Header, Date: and so on headers are considered part of
the body as far as the mail transport is concerned. If _that_ were missing,
the mail transport agent at the receiving end might complain, and could
drop the crap as incomplete. But look again at this conversation. Note
that three times, "B:" said "Recipient OK", and only once said "No such user".
Guess what - the spammer has confirmed that three addresses are valid. They
also confirmed that one address is bad - but that may not be important to
them, as it rarely costs them anything. Some mail servers may be configured
to tell the sender to shove it if it tries to send mail to to many
non-existent addresses, but that's not common enough. Maybe you didn't
do a d4mn thing - you didn't open the mail in some crappy browser that
auto-installs any executable linked in the mail - you didn't hit the reply
button to tell the spammer off... you did nothing. Heck you may not have
even turned on the computer to check your mail, but the bad guys have
confirmed that your address is real.
>Or is there something more serious going on?
It could also be that the spammers zombie program has a bug in it and crashed,
but this is less likely - the program still had to send that line that only
contained a dot which marks the end of a mail transmission. If the zombie
crashed after sending the To: From: or Subject: lines (or even part of what
you see in the body) and didn't send that line that only contains the dot,
the receiving mail server will wait (up to several minutes), and them toss
the mail away. The rules of mail transport say that the sender isn't done
until the receiving mail server says "OK, I got it". There would be a log
entry in the mail server, but you as a user would never see that.
Old guy