Email Spam Filter:
jwSpamSpy
Try it for free!


About spam / "419" / Blog
jwSpamSpy
Recent spam domains
Spam domain blacklist

Software
Links
joewein.de
joewein.net
Contact
Google

 

1.txt spam

From July 23 we received several spams that were very strange. The message body was HTML-formatted text that only contained one character, the digit 1. It had an attachement, a text file called 1.txt, which was BASE64 mime encoded. First we wondered if it was visrus, but the attachment was executable. It only contains two characters, which are spaces. The base64 encoded data is followed by two non-ASCII values (04h, 14h), which appears to be a bug in the program that sends the spam.

The sender name in the emails is derived from the recipient address. The message ID uses the domain of the recipient. The message boundary matches one common bulkmail package.

Most likely, someone was experimenting with a new version of software to send out spam and this was part of a test run.

Here is an example:

Received: by gamma.mc1.hosteurope.de running Exim 4.51 using smtp
 from [85.94.97.163] (helo=GARO.net)
 id 1DwH9v-00009T-Ju
 for joe_wein@drogenpolitik.org; Sat, 23 Jul 2005 12:23:08 +0200
Date: Sat, 23 Jul 2005 12:24:10 +0100
To: "Joe" <joe_wein@drogenpolitik.org>
From: "Joe" <joe_weiland@ml.com>
Subject: 1
Message-ID: <kgjutfrxjqjopfvbily@drogenpolitik.org>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------bclbcjcnyymgcrbarzei"
X-HE-Spam-Level: ++++++++++
X-HE-Spam-Score: 10.2
X-HE-Spam-Report: Content analysis details:   (10.2 points)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 5.0 SARE_BOUNDARY_05       Content type boundary used in spam
 3.2 MSGID_SPAM_LETTERS     Spam tool Message-Id: (letters variant)
 0.7 HTML_SHORT_LENGTH      BODY: HTML is extremely short
 1.2 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.2 HTML_90_100            BODY: Message is 90% to 100% HTML
Envelope-to: joe_wein@drogenpolitik.org

----------bclbcjcnyymgcrbarzei
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

<html><body>
1<br><br>

<br>
</body></html>

----------bclbcjcnyymgcrbarzei
Content-Type: application/octet-stream; name="1.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="1.txt"

ICA=p

----------bclbcjcnyymgcrbarzei--