Latest spam annoyance: short, gibberish emails

choie · March 10, 2012, 10:58pm

Four years ago I asked a question about gibberish URLs being set to my email address via a contact form – namely, what the hell are these people gaining? The general agreement back then was basically: they apparently think your contact form is a general comment form, so if their gibberish urls are posted on your site, they know they can go back and post their real spam.

Now I have a stranger influx of spam that’s not being sent via my own contact form. These are direct emails and they all have the same format:

And that’s it. I get about five to ten of these a day. The names are always different. The subject lines and messages are always different, always very brief combos of five letters/numbers or fewer.

Now, I don’t have HTML turned on by default – I practice safe email. So whenever I get one of these messages, before I bother opening it (I rarely do) I look at the source code to see if there’s some secret hidden .gif that would indicate to the sender if I were to open the emails, or some other hidden nasty code.

…But there isn’t. There’s no HTML in the message body at all. Here’s are two actual samples (with my own and the sender’s email blanked out – the alleged sender may be innocent in all this, after all):


Envelope-to: MY EMAIL ADDRESS
Delivery-date: Sat, 10 Mar 2012 16:58:46 -0500
To: <MY EMAIL ADDRESS>
MIME-Version: 1.0
Date: Sat, 10 Mar 2012 20:54:06 +0000
From: "FAKE_NAME" <BLANK@bbs.natca.net>
Message-ID: <201203102355.A37F83AC18AB6A71BE7FCA2@9g1gdod0>
Subject: 1tdodi
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

0dl
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1913 / Virus Database: 2114/4862 - Release Date: 03/10/12

Notes:

the bolded IP address is apparently located in Brazil.
I didn’t blank out the domain of the alleged sender because it’s interesting – it’s the BBS of the National Air Traffic Controllers Association!
The AVG message is tacked on via my system, since I use AVG (obviously).
the “0dl” in there is the only thing in the body of the message.

Here’s another one, received earlier this AM:


Return-path: <BLANK@usinternet.com>
Envelope-to: MY EMAIL ADDRESS
Delivery-date: Sat, 10 Mar 2012 14:37:28 -0500
Received: from [**190.246.66.2**] (port=54213 helo=x8bc97l.net)
	by electra.hmdnsgroup.com with smtp (Exim 4.69)
	(envelope-from <BLANK@usinternet.com>)
	id 1S6S6W-0003WC-LY
	for MY EMAIL ADDRESS; Sat, 10 Mar 2012 14:37:25 -0500
To: <MY EMAIL ADDRESS>
MIME-Version: 1.0
Subject: lj9bu
Message-ID: <63b29c45g36-28409614-156o8c44@oydxuwxkuz>
Date: Sat, 10 Mar 2012 11:33:39 -0700
From: "FAKE NAME2" <BLANK@usinternet.com>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-HMDNSGroup-MailScanner-Information: Please contact the ISP for more information
X-HMDNSGroup-MailScanner-ID: 1S6S6W-0003WC-LY
X-HMDNSGroup-MailScanner: Found to be clean
X-HMDNSGroup-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.794,
	required 4, BAYES_80 2.00, RDNS_NONE 0.79, TVD_SPACE_RATIO 0.00)
X-HMDNSGroup-MailScanner-SpamScore: ss
X-HMDNSGroup-MailScanner-From: BLANK@usinternet.com
X-Spam-Status: No
X-Antivirus: AVG for E-mail 2012.0.1913 [2114/4862]
X-AVG-ID: ID4036917F-4A0CC6A3

6
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1913 / Virus Database: 2114/4862 - Release Date: 03/10/12

Notes:

This time, the IP in bold is from Argentina (hm, a trend?) and is also identified by Project Honey Pot as a mail server used by baddies.
As before, the only thing in the body of the message is “6.”

BTW, for both this and the other example, the FAKE NAMEs used by the alleged senders have turned up in Project Honey Pot as having been used before.

So what gives? What are they trying to accomplish by spamming me thus? Or are they just testing their sending mail server rather than testing the recipient (me)?

All I know is that it’s really bleedin’ annoying and I can’t think of a way to filter them out.

tellyworth · March 10, 2012, 11:17pm

They are probes. Spambots hit every web form they can find, and use (seemingly) random domains and content to test which ones of them are comment forms or guest books that publish the posted content on the web. They’ll then go back and hit them later with real spam containing a real link.

The Brazilian IP is a web proxy. The spambot is most likely run by an Eastern European group that rents it out to “marketing” firms.

choie · March 10, 2012, 11:44pm

Thanks! What you’re describing was the case in my old thread. But as I mentioned, I really don’t think these emails are coming from contact forms – those are usually easy to spot because they’ll contain certain form fields (like name, contact, whatever). Also, I don’t have any contact forms that use this particular email address.

Maybe you’re right, though-- could be someone else’s form. Although… wouldn’t a spambot using someone else’s contact form be sening its messages to the contact form’s creator?

tellyworth · March 11, 2012, 12:33am

Oh, I misread your OP. Probably nothing to do with a contact form then. Email spam is not my area.

choie · March 11, 2012, 1:18am

No problemo, thanks anyway, tellyworth. I’m just curious as to what the heck is going on.

Geeze, maybe I should’ve saved all the messages and see if they’re some cryptogram! Maybe I’m being sent coded messages one by one – could it be that I’ve entered a Robert Ludlum book (or worse, Dan Brown)?

Topic		Replies	Views
How are these gibberish spammers benefiting from their perfidy? Factual Questions	5	2715	November 15, 2008
Gibberish Spam. (why?) Factual Questions	15	1061	June 2, 2003
What is the point of this gibberish spam to my web site? Factual Questions	20	453	August 7, 2024
Department of Weird Emails --> Someone's Name as subject, "no message" as body Factual Questions	2	620	June 1, 2022
What's with empty-email spam? Factual Questions	12	1226	October 2, 2006

Latest spam annoyance: short, gibberish emails

Related topics