Thread: Incoherent E-mails
View Single Post
  #12 (permalink)  
Old 10-13-2005, 12:58 AM
Winged
Guest
  
Posts: n/a
Default Re: Incoherent E-mails
Moe Trin wrote:
> In the Usenet newsgroup alt.computer.security, in article
> <ItX1f.19668$q81.7919@trnddc06>, phishee wrote:
>
>
>>What's the purpose of those semi-coherent or blank body e-mails that
>>slip past spam filter's? Are they just looking for a reply
>>acknowledgment, thus verifying a valid e-mail account?
>
>
> Learn how mail is transported over the Internet. Your mail tool or
> browser contacts your ISP's mail server. Spammers, viruses and 'bots tend
> to bypass this step and try to contact the destination mail server direct.
> Your ISP's mail server contacts the mail server at the destination, and
> the two have a conversation that goes something like (paraphrased from
> RFC0821 and RFC2821)
>
> A: Hello B - my name is mail.example.com
> B: Hello mail.example.com, pleased to meet you
> A: I have mail from WxGhkfa@abc.def
> B: <WxGhkfa@abc.def> Sender OK
> A: Mail goes to Sucker@foo.com
> B: <Sucker@foo.com> Recipient OK
> A: Mail goes to Another.fool@foo.com
> B: <Another.fool@foo.com> Recipient OK
> A: Mail goes to Still.another@foo.com
> B: <Still.another@foo.com> No such user
> A: Mail goes to Still.another.fool@foo.com
> B: <Still.another.fool@foo.com> Recipient OK
> A: Mail Begins
> B: Enter mail, end with "." on a line by itself.
> A: To: The Name you See in the To: header
> A: From: The Name you See in the From: header
> A: Subject: An offer you can't live without
> A: Date: some.random.date/time
> A:
> A: Buy stuff from me at http://some.wankers.URL
> A: .
> B: OK, I got it
> A: So long, sucker
>
> A couple of points here. Note that the "I have mail from" (called the
> envelope sender) and the 'From:' line (the body sender) have nothing to
> do with each other. The same is true for the "Mail goes to" lines,
> which (unless there is only one) never shows up in the mail you receive.
> When there are multiple "Mail goes to" lines, each one gets the exact same
> body - and the name in the "To:" line has nothing to do with delivering
> the spam. The "From:" and "To:" lines can actually be missing, and the mail
> will still be delivered to you - a function of that "Mail goes to" line.
> See http://www.stopspam.org/email/headers.html if you want to learn more
> about the real headers in the mail.
>
> Now, the blank body isn't really considered blank, because what you see
> in the To:, From:, Header, Date: and so on headers are considered part of
> the body as far as the mail transport is concerned. If _that_ were missing,
> the mail transport agent at the receiving end might complain, and could
> drop the crap as incomplete. But look again at this conversation. Note
> that three times, "B:" said "Recipient OK", and only once said "No such user".
> Guess what - the spammer has confirmed that three addresses are valid. They
> also confirmed that one address is bad - but that may not be important to
> them, as it rarely costs them anything. Some mail servers may be configured
> to tell the sender to shove it if it tries to send mail to to many
> non-existent addresses, but that's not common enough. Maybe you didn't
> do a d4mn thing - you didn't open the mail in some crappy browser that
> auto-installs any executable linked in the mail - you didn't hit the reply
> button to tell the spammer off... you did nothing. Heck you may not have
> even turned on the computer to check your mail, but the bad guys have
> confirmed that your address is real.
>
>
>>Or is there something more serious going on?
>
>
> It could also be that the spammers zombie program has a bug in it and crashed,
> but this is less likely - the program still had to send that line that only
> contained a dot which marks the end of a mail transmission. If the zombie
> crashed after sending the To: From: or Subject: lines (or even part of what
> you see in the body) and didn't send that line that only contains the dot,
> the receiving mail server will wait (up to several minutes), and them toss
> the mail away. The rules of mail transport say that the sender isn't done
> until the receiving mail server says "OK, I got it". There would be a log
> entry in the mail server, but you as a user would never see that.
>
> Old guy


Excellent reply! Thanks for the effort.

Another issue I have seen recently is mime encoded e-mails that "appear"
to be blank but auto-execute code in improperly configured Outlook
express clients. Some send local machine information back to places
unknown some try to launch remote code on the local machine. These seem
to be specifically targeted to outlook express product.

Seems to me in the cyber world the good guys are losing...with
Microsoft's help (they still haven't fixed their old known holes and
opening new opportunities daily), the bad guys are winning....guess it's
been a bad day....

Winged

Reply With Quote