What is this? Spam? Viral defacation?

[Mark Buell]

I'm getting a couple of these a day. Always similar, never the same.
Uses many phrase in a recombinant fashion. Always contains one, but
usually two graphics with links to sites that are similar to the "from"
site. The "received from" header is sometimes the same. So what is this?
A malware generated spam? A genuine spam?

I've never been willing to attempt to contact the linked URLs - I
haven't any secure machines set up to wipe and reboot. Everything I've
got is I think secured, but I haven't any machines I'm willing to wipe
and restore, jic, ya know. My email has been deleted from the sample
below to stop the harvesters.

TIA
Mark

pull out the stops if you wish to reply direct.
mastops_bustopsell(at)yahoo.com

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=
From: Drive For Free <[email protected]>
To: DELETED FOR SPAM CONTROL
Date: Wednesday, March 10, 2004, 4:40:01 PM
Subject: Get paid to drive your Free Car
Files: message.html
--====----====----====----====----====----====----====----====----
====----===--
X-Apparently-To: DELETED FOR SPAM CONTROL via 216.136.226.231; Thu, 11
Mar 2004 00:34:29 -0800
Return-Path: <[email protected]>
Received: from 65.60.27.94 (EHLO 2721.emailhardworker.com)
(65.60.27.94)
by mta119.mail.sc5.yahoo.com with SMTP; Thu, 11 Mar 2004 00:34:28 -
0800
Content-Type: text/html; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Get paid to drive your Free Car
From: "Drive For Free"<[email protected]>
To: DELETED FOR SPAM CONTROL
X-Priority: 3
Date: Thu, 11 Mar 2004 00:40:01










Sounds good to me, I said. (I'd seen something really weird.
Suddenly, she wasn't there. I can never describe the walk back to my
truck.

Sounds good to me, I said. Can you tell me the answer? she asked. I'd
walk down to the stream, look around, and take a deep breath. Love, and
hate, are powerful emotions.

I want you to hit me as hard as you can. He extended his hand by way
of introduction. I'd walk down to the stream, look around, and take a
deep breath. You can't go up to the unit. Nobody's allowed up there.

Don't do that, the cat pointed out. You can't go up to the unit.
Nobody's allowed up there. (I'd seen something really weird. I'll
tell you what happened next. I didn't have to say: can we change the
meeting from 6 to 11? My kids have a music recital and I dont want to
miss it for the world.
bWFya19idWVsbEB5YWhvby5jb20=



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=

 

[mzlindyone]

X-Apparently-To: DELETED FOR SPAM CONTROL via 216.136.226.231; Thu, 11
Mar 2004 00:34:29 -0800
Return-Path: <[email protected]>
Received: from 65.60.27.94 (EHLO 2721.emailhardworker.com)
(65.60.27.94)
by mta119.mail.sc5.yahoo.com with SMTP; Thu, 11 Mar 2004 00:34:28 -
0800

No worm I know of sends mail through Yahoo.
The Optigate machine may be infected or not, but if so it's a proxy
not something trying to spread itself.

I don't see any URLs or links here.

 

[Mark Buell]

No worm I know of sends mail through Yahoo.
The Optigate machine may be infected or not, but if so it's a proxy
not something trying to spread itself.

I don't see any URLs or links here.

Nope, I deleted the graphics. Opera shows me that there are links on the
graphics, but I haven't been able to find the html code that creates the
link. I'm not sure how they've done that. I have intentionally limited
the html viewing I get in my email, so I'm not sure what the graphics
actually are, but I think they are just small blank I haven't opened the
original in something like my browser to see if there is actually
anything in the graphics.

Mark

 

[Gabriele Neukam]

On that special day, Mark Buell, ([email protected]) said...

Sounds good to me, I said. (I'd seen something really weird.
Suddenly, she wasn't there.

Such gibberish is created by programs like Hipcrime. Maybe someone tried
to get past the Bayes filtering by inserting common word combinations,
to improve the good words/bad words ration, to avoid the mails being
tagged as spam. The real spam is probably the grafics file, which will
most probably be called from aremote site, telling the spammer the spam
is in fact read.

If you want to see the HTML source, why don't you right click on the
mail, choose frame, and then "show source" or the like (mine is German)?
It works for me on web pages, and should do so with mail. The shortcut
of the command is Alt-F3.

Gabriele Neukam

(e-mail address removed)

 

[Mark Buell]

On that special day, Mark Buell, ([email protected]) said...


Such gibberish is created by programs like Hipcrime. Maybe someone tried
to get past the Bayes filtering by inserting common word combinations,
to improve the good words/bad words ration, to avoid the mails being
tagged as spam. The real spam is probably the grafics file, which will
most probably be called from aremote site, telling the spammer the spam
is in fact read.

If you want to see the HTML source, why don't you right click on the
mail, choose frame, and then "show source" or the like (mine is German)?
It works for me on web pages, and should do so with mail. The shortcut
of the command is Alt-F3.

Gabriele Neukam

(e-mail address removed)

Thanks folks. I appreciate the knowledge.

Mark