What: Attaching an audio file (MP3 or WAV) to an email. The audio file contains the pitch read by a human voice
Date added: October 18, 2007
Example from the wild:
Example MP3
What: Using GIF animation to prevent tokenization and arranging the letters so that they flash like a neon sign in the 'wrong' order making OCR hard
Date added: October 17, 2007
Example from the wild:
(Reported by Nick FitzGerald):
blog entry
What: Like The Office, but just using Excel
Date added: September 25, 2007
Example from the wild:
(Reported by Nick FitzGerald):
here
What: Using a carefully selected search string to use Google is a redirector by searching for a unique string appearing on a site and using the "I'm feeling lucky" option.
Date added: September 23, 2007
Example from the wild:
(Reported by Nick FitzGerald): http://www.google.com/search?hl=en&q=easyratemortage+tax+deductible+mortgage+refinancing+strategy&btnI=AaEbK6r0Kz0r9JU4b
What: Remotely loading an image using the background attribute of the <body> tag
Date added: June 13, 2007
Example from the wild:
(Reported by Nick FitzGerald) <body background="http://wtargue.hk/quantitative.gif">
What: Rotating images to make them hard to OCR (and sometimes slicing the image before random rotation of each slice).
Date added: March 19, 2007
Example from the wild:
(Reported by Anna Vlasova)
blog entry
What: Pointing to a Flash animation whose only purpose is to redirect to the real spam/phish site. Probably done to avoid phishing detection that relies on finding links that say they are going to one place, but actually go to another.
Date added: December 3, 2006
Example from the wild:
(Reported by Nick FitzGerald via an anonymous CastleCops reporter)
<A href="http://i126.photobucket.com/albums/p87/tractors200/as.swf" target=_blank rel=nofollow _>
<IMG height=32 alt="Respond
Now" src="http://pics.ebaystatic.com/aw/pics/buttons/btnRespondNow.gif"
width=120 border=0></A>
which actually redirects to:
http://www.ess-access.com/Signin.eBay.com.ws.eBayISAPI.dslSignInco.partnerId.pUserId.si
teid.pageType.pa1.i1.BshowGif.UsingSSL.https.ebay.com.pa2.errmsg.runame.
ruparams.ruproduct.sid.confirm5.htm
What: A variant of
Strip Mining, that uses an animated GIF, with transparent frames, and randomly kills pixels in two frames making pixels that are black in one frame match transparent pixels in the other and vice versa.
Date added: November 1, 2006
Example from the wild:
(Reported by Nick FitzGerald)
blog entry
What: Using an animated GIF, with transparent frames, to build up an image the contains the spam message.
Date added: October 16, 2006
Example from the wild:
(Reported by Nick FitzGerald)
blog entry
What: Putting the entire phishing form inside the email without using a web server.
Date added: August 30, 2006
Example from the wild:
(Reported by Sorin Mustaca) (
download)
What: Sending spam as an animated GIF with very short initial frames that consist of random noise and a final persistent frame with the actual spam message
Date added: August 30, 2006
Example from the wild:
(Reported by Nick FitzGerald)
What: Hiding a word by writing it vertically,while writing other text horizontally in the same space.
Date added: August 30, 2006
Example from the wild:
(Reported by Nick FitzGerald who also supplied a
picture)
<body bgcolor="#FFFFF9" text="#000009">
<p>
<b><font size="3" color="#FF0007">R</font></b><br>
<b><font size="3" color="#FF0005">O</font></b><br>
<b><font size="3" color="#FF0009">L </font></b>Full 18K Gold
Daytona - $269.00<br>
<b><font size="3" color="#FF0008">E</font></b></font><br>
<b><font size="3" color="#FF0005">X</font></b><br>
</p>
What: Making what looks like a valid link to PayPal turn into a link to a phishing site using a FORM and a cleverly constructed INPUT tag.
Date added: June 30, 2006
Example from the wild:
(Reported by Sorin Mustaca)
<FORM action=http://201.117.14.43:8090/xxev/cmd_run/index.php?>
<p><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">
<font size="2" face="Arial, Verdana">
<INPUT style="BORDER-RIGHT: 0pt;
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR:
hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit
value=https://www.paypal.com/cgi-bin/webscr?cmd=_login-run>
</font></a></p></form>
What: A variant of the No Whitespace No Cry trick where there are no spaces between words. Instead of spaces the sender uses greyed out letters.
Date added: May 15, 2006
Example from the wild:
(Reported by Joseph Connors)
Save<FONT color=#C0C0C0>U</FONT>time<FONT color=#C0C0C0>P
</FONT>and<FONT color=#C0C0C0>Y</FONT>money<FONT color=#C0C0C0>2
</FONT>on<FONT color=#C0C0C0>B</FONT>your<FONT color=#C0C0C0>J
</FONT>monthly<FONT color=#C0C0C0>A</FONT>meds<FONT color=#C0C0C0>f
</FONT>
Looks like: Save
Utime
Pand
Ymoney
2on
Byour
Jmonthly
Ameds
f
What: Exploit a bug in Internet Explorer to display one link (the real eBay link) yet when clicked the link within the table is actually navigated. Notice the use of a style to change the cursor to make the link appear valid and even the color is set to the 'visited link' color.
Date added: March 31, 2006
Example from the wild:
(Reported by Kevin McGrail)
<a href="https://signin.ebay.com/ws/eBayISAPI.dll">
<table>
<caption>
<a href="http://211.254.130.108XXX/">
<u style="cursor: pointer">
<font color="#008000">eBay Update Center</font>
</u>
</a>
</caption>
</table>
</a>
What: Splitting a suspicious word with random characters and use the CSS display:none to make the random characters disappear.
Date added: March 1, 2006
Example from the wild:
(reported by Nick FitzGerald: example when it
works and when it
doesn't)
<span style="display: yes; display: none">g</span>C
<span style="display: yes; display: none">l</span>I
<span style="display: yes; display: none">o</span>A
<span style="display: yes; display: none">c</span>L
<span style="display: yes; display: none">s</span>I
<span style="display: yes; display: none">z</span>S
What: Splitting a suspicious word with random characters and use a <DIV> with float: right to move the characters to the right raking then away so that the suspicious word is revealed.
Date added: February 15, 2006
Example from the wild:
(Reported by Nick FitzGerald: example when it
works and when it
doesn't)
<DIV>
<FONT face=Arial size=2>
V<span style="float:right">c</span>
I<span style="float:right">j</span>
A<span style="float:right">m</span>
G<span style="float:right">o</span>
R<span style="float:right">a</span>
A<span style="float:right">a</span>
</DIV>
March 15, 2006 Update (The Rake's Progress): The same trick has been seen with the inline styles replaced with a class defined later in the same message (Nick FitzGerald once more):
<DIV>
C<span class=qg43>f</span>
I<span class=qg43>m</span>
A<span class=qg43>z</span>
L<span class=qg43>t</span>
I<span class=qg43>k</span>
S<span class=qg43>n</span>
</DIV>
<STYLE>
SPAN.qg43 {FLOAT: RIGHT}
</STYLE>
Update: August 30, 2006; the same trick but using FLOAT:LEFT instead of FLOAT:RIGHT.
<DIV>
<FONT face=Arial size=2>
c<span style="float:left">C</span>
f<span style="float:left">I</span>
h<span style="float:left">A</span>
g<span style="float:left">L</span>
j<span style="float:left">I</span>
k<span style="float:left">S</span>
</DIV>
What: Similar to "Slice and Dice", but using an image. The text is sent as an image divided horizontally and cut in the middle of words to make even OCR hard.
Date added: January 16, 2006
Example from the wild:
(Reported by Nick FitzGerald) (
blog entry)
<DIV><IMG src=3D"cid:000101c615dc$a412aa7a$e3fea8c0@embellish"></DIV>
<DIV><IMG src=3D"cid:000201c615dc$a412aa7a$e3fea8c0@embellish"></DIV>
<DIV><IMG src=3D"cid:000301c615dc$a412aa7a$e3fea8c0@embellish"></DIV>
<DIV><IMG src=3D"cid:000401c615dc$a412aa7a$e3fea8c0@embellish"></DIV>
<DIV><IMG src=3D"cid:000501c615dc$a412aa7a$e3fea8c0@embellish"></DIV>
<DIV><IMG src=3D"cid:000601c615dc$a412aa7a$e3fea8c0@embellish"></DIV>
<DIV><IMG src=3D"cid:000701c615dc$a412aa7a$e3fea8c0@embellish"></DIV>
</BODY></HTML>
------=_NextPart_001_0002_01C615B2.BB3EE0E0--
------=_NextPart_000_0001_01C615B2.BB3EE0E0
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <000101c615dc$a412aa7a$e3fea8c0@embellish>
R0lGODdh+QAJAIAAAP///wgQDSwAAAAA+QAJAAACWoSPqcvtD6OctNqLs968+w+G4kiW5ommKhO0
AeK+gHzQs73m+s5Dtvy71WjAnvGIVAVnMKGh9Wwmp9QqBhetMV/crNcKDouHiWC3y9SO12wq9Isu
3mLtul1VAAA7
What: Replacing individual letters with embedded images of letters
Date added: January 5, 2006
Example from the wild:
(Reported by Nick FitzGerald) (
full example)
------=_NextPart_001_0002_01C61124.1D58EDE0
Content-Type: text/html; charset="us-ascii"
<HTML><BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=3>VI<IMG src="cid:000801c6114e$05325eca$8565a8c0@vesper">GRA</FONT></DIV>
</BODY></HTML>
------=_NextPart_000_0001_01C61124.1D58EDE0
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID: <000801c6114e$05325eca$8565a8c0@vesper>
R0lGODdhDAAYAMIAAP///xADBqWgoWlhY+Hf30tCRC0iJcPAwCwAAAAADAAYAAADNgi63P4wykmr
vZiKIOL4UUAEkFAARecMnTA8IjA65pI2Q6DrL2MQC4KBcTgxCocFq+FaDB3PBAA7
What: Using the <DIV> tag with and specifying FLOAT to overlay fragments of words to create complete words. (See also Slice and Dice)
Date added: September 7, 2005
Example from the wild:
(Reported by wm-sf)
<DIV>
<FONT face=Courier>
<DIV style="FLOAT: left">Me<BR>Ul<BR>Ce<BR><STRONG>Vi</STRONG></DIV>
<DIV style="FLOAT: left">ri<BR>tr<BR>le<BR><STRONG>ag</STRONG></DIV>
<DIV style="FLOAT: left">dia<BR>am<BR>brex<BR><STRONG>ra</STRONG></DIV>
</FONT>
</DIV>
What: Hiding words by spelling them incorrectly by simulating a keyboard with an incorrect repeat delay or sticky keys.
Date added: August 23, 2005
Example from the wild:
(Reported by William Brown)
<span style='font-size: 12.0pt'>Tuuuuurn oooooff notiiificatiiiiions
<a href="http://somewebsite.com/x/st.html" target="_new">heeeeeeere.</a>
What: Writing text vertically to avoid detection
Date added: April 15, 2005
Example from the wild:
(Reported by Nick FitzGerald)
t i h c
h s a o
i r r
s d e
What: Splitting a URL inside an HREF using \r or \n characters
Date added: April 15, 2005
Example from the wild:
<A href="h
t
tp:/
/vgtnfrgven.net&zlwgfqn0xltmj0ynt0hes3%2Egeun
perch
ji%2Ews/">
The actual web site in this example is
geunperchji.ws
What: Wrapping a
<map> with an
HREF so that a bad URL is made to look safe.
Date added: March 21, 2005
Example from the wild:
(Nick FitzGerald provided and simplified it)
<A HREF="<safe_URL_to_lure_the_unwary>">
<map name="FPMap0">
<area coords="0, 0, 623, 349" shape="rect" href="<bad_url>">
</map>
<img SRC="<img_url>" border="0" usemap="#FPMap0">
</A>
What: A variant of Slice and Dice; here words are split onto two lines to make a wavy pattern on some HTML renders, and completed text on others.
Date added: February 22, 2005
Example from the wild:
(Full
example from Theo van Dinter)
<TABLE cellSpacing=0 cellPadding=0 align=center border=0>
<TR vAlign=bottom>
<TD rowSpan=2>Inc</TD>
<TD></TD>
<TD rowSpan=2>e Yo</TD>
<TD></TD>
<TD rowSpan=2>xual Des</TD>
<TD></TD>
<TD rowSpan=2>Spe</TD>
<TD></TD>
<TD rowSpan=2>ume by </TD>
<TD></TD>
<TD rowSpan=2>%</TD>
</TR>
<TR vAlign=bottom>
<TD>reas</TD>
<TD>ur Se</TD>
<TD>ire and </TD>
<TD>rm vol</TD>
<TD>500</TD>
</TR></TABLE>
What: Using the Unicode right-to-left override expressed as HTML entities (
‮ and
‬) to reverse text
Date added: February 14, 2005
Example from the wild:
(Reported by Miles Libbey)
Your B‮na‬k C‮dra‬ Link‮ni‬g
What: Permuting the letters inside a word; the word is still readable by humans.
Date added: January 17, 2005
Example from the wild:
I finlaly was able to lsoe the wieght I have been sturggling to
lose for years! And I couldn't bileeve how simple it was! Amizang
pacth makes you shed the ponuds! It's Guanarteed to work or your
menoy back!
What: Inserting null characters (quoted-printable encoded) (see also Control Freak)
Date added: January 10, 2005
Example from the wild:
<=00H=00T=00M=00L=00>=00<=00H=00E=00A=00D=00>=00=0D=00=0A=00<=00M=00E=00=
T=00A=00 =00h=00t=00t=00p=00-=00e=00q=00u=00i=00v=00=3D=00C=00o=00n=00=
t=00e=00n=00t=00-=00T=00y=00p=00e=00 =00c=00o=00n=00t=00e=00n=00t=00=3D=
=00"=00t=00e=00x=00t=00/=00h=00t=00m=00l=00;=00 =00c=00h=00a=00r=00s=00=
e=00t=00=3D=00u=00n=00i=00c=00o=00d=00e=00"=00>=00=0D=00=0A=00<=00M=00=
E=00T=00A=00 =00c=00o=00n=00t=00e=00n=00t=00=3D=00"=00M=00S=00H=00T=00=
M=00L=00 =006=00.=000=000=00.=002=008=000=000=00.=001=004=000=000=00"=00=
=00n=00a=00m=00e=00=3D=00G=00E=00N=00E=00R=00A=00T=00O=00R=00>=00<=00=
/=00H=00E=00A=00D=00>=00=0D=00=0A=00<=00B=00O=00D=00Y=00>
What: Using ASCII art to get the spam message across.
Date added: January 5, 2005
Example from the wild:
Obscene example
example comes from Nick FitzGerald (and
another).
What: Attaching the spam as a Microsoft Office document (Word or Excel)
Date added: January 5, 2005
Example from the wild:
(Reported by David F. Skoll) Download
example courtesy of Nick FitzGerald.
What: Splitting the subject line by using an encoding and bogus line breaks.
Date added: January 5, 2005
Example from the wild:
(Reported by Chris Drake and Joseph Connors)
Subject: =?utf-8?q?Identical drugs -- l?=
=?utf-8?q?ittle monetary valu?=
=?utf-8?q?e!?=
What: Using zero-width images non-existent to break up words in both Subject: line and body.
Date added: November 3, 2004
Example from the wild:
No more imp<IMG SRC="congratulate.gif" height="2" width="0" border="0">otence bullet
What: Using a silent background sound as a web bug to detect when an email is opened.
Date added: November 3, 2004
Example from the wild:
(Reported by Sam Schinke)
<BGSOUND src="http://213.215.172.43/index_o.php?Client=[email protected]">
What: Microsoft Internet Explorer contains a bug which means that it is very liberal in its interpretation of hexadecimal values in colors. Missing digits are treated as 0 also. An incorrect digit is simply interpreted as 0. For example the values
#F0F0F0,
F0F0F0,
F0F0F,
#FxFxFx and
FxFxFx are all the same. This can be used to refresh tricks like Invisible Ink and Camouflage.
Date added: July 27, 2004
Example from the wild:
(Thanks to Edy Hinzen for the sample)
<font size="1" style="font-size: 1px" color="#FqFeFm">b</font>
What: To prevent a URL from being recognized as a URL it is split into two parts with instructions to the reader to put the two bits back together.
Date added: February 3, 2004
Example from the wild:
(Via Ken Schneider presentation at the MIT Spam Conference 2004)
type http://www the the following URL in your web browser
address bar: .somesite.com/page1/page2/content.htm
Update: August 30, 2006; Nick FitzGerald reports a version of this using an image instead of text:
What: Spammers have reacted to the fact that good spam filters understand HTML but reworking many tricks in the compendium using CSS.
Date added: February 3, 2004
Example from the wild:
Tricks that can be
reworked:
- Invisible Ink: replace <font color="white" size="-1"> with <font style="font-size: -1; color: white;">
- The Black Hole: replace <font size=0> </font> with <font style="font-size: 0"> </font>
- Honey, I Shrunk The Font: replace <font size="1" color="#FFFFFF">Random word of BIG LETTERS with length 1 to 22 TSUTHRXJKVUVBECP</font> with <font style="font-size: 1; color: #FFFFFF">Random word of BIG LETTERS with length 1 to 22 TSUTHRXJKVUVBECP</font>
- Camouflage: replace <font color="#123939">those rearing lands</font> with <font style="color: #123939">those rearing lands</font>
- All of the above could be done with an external style sheet instead of inline styles. This would require loading the sheet to determine the trickery. Worst case scenario is that that external style sheet would be a form of web bug that would validate the recipients email address.
What: Exploits the fact that Microsoft Internet Explorer had a problem (fixed in this
patch) where a cleverly constructed URL could appear to go to one site and actually take you to another.
Date added: February 3, 2004
Example from the wild:
<a href=http://www.microsoft.com =01 %01 %[email protected]/~cnnurgen/microsoft/downloads/details.html>
www.microsoft.com/downloads/</a>
Notes:
- This looks like: www.microsoft.com/downloads
- Notice the use of =01 quoted-printable encoding to insert a non-printable ASCII character SOH (01) inside the URL.
- Notice the use of % encoding to also insert the non-printable ASCII characters 01 and 00 (the latter being a standard string termination in C designed to fool filters that 'printf' the URL).
- Notice the use of a URL username/password combination (cf Enigma/Bogus Login tricks above)
- This appears to take the user to www.microsoft.com/downloads, but actually goes to the site at 66.235.193.39.
- In Microsoft Internet Explorer both the text highlighted in the URL and the URL shown in the status bar indicate that the URL as on microsoft.com.
- Mozilla Firebird is also fooled by this trick, it terminates the URL at the SOH character.
Another variant has appeared in phishing emails:
What: The pipe character | can be used in a URL. Under Internet Explorer the URL will not be displayed past the pipe. This can be used to make a subdomain look like a top-level domain.
Example from the wild: (borrowed from
Netcraft)
http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/
This will appear as
barclays.co.uk
in Internet Explorer, but in fact goes to
dvdlinKs.at.
What: Use the onmouseover event to change a URL so that when clicked the user is taken to an unexpected destination.
Date added: February 3, 2004
Example from the wild:
Remove My e-mail from my Friends Contact <a
href="http://%77%77%77%77.3%65%653--%69%6c11%6c%69--3%6c%69%6c%6c.
%6f%72%67/bPqjOL09yGCHw/remove.htm" onmouseover="window.status=
'http://candysexnow.com/bPqjOL09yGCHw/';return true;"
onmouseout="window.status=' ';return true;">
ClickHere</a>
The works as follows: Remove My e-mail
from my Friends Contact
ClickHere
What: Break up a spammy word by inserting a single tiny letter in the middle.
Date added: February 3, 2004
Example from the wild:
(Pointed out by Andrew Whitham)
No cred<font style="font-size: 1;">K</font>it?
The looks like: No cred
Kit?
What: Enclose text within
<style> tags to hide it from user but confuse filters.
Date added: September 15, 2003
Example from the wild:
<style>RANDOM</style>
What: Use of non-printing characters, especially in the Subject and especially NUL to mess up filters that use 0 terminated strings.
Date added: September 15, 2003
Example from the wild:
What: Using the <noframes> tag the spammer can hide text and break up words.
Date added: September 15, 2003
Example from the wild:
Ere<frame><noframes>ywl55</noframes></frame>ctions
What: Using the <marquee> tag the spammer can hide text in a tiny unobtrusive square.
Date added: July 9, 2003
Example from the wild:
<marquee bgcolor="white" height="8" width="8">Did you ever play that game
when you were a kid where the little plastic hippo tries to gobble up all
your marbles?</marquee>
What: Adding a legitimate but odd word at the far right of the subject line (typically preceded with lots of spaces and tabs). The word is design to poison a Bayesian filter and alter the spam's hash value.
Date added: June 18, 2003
Example from the wild:
(Thanks for Gary Robinson for pointing this one out)
Subject: FEATURED IN MAJOR MAGAZINES algorithmic
What: Like Invisible Ink, but instead of using identical colors (e.g. white on white) use very similar colors.
Date added: June 2, 2003
Example from the wild:
The colors 1133333, 123939, and 423939 are chosen to be very similar without being the same)
<table bgcolor="#113333"><tr><td><font color="#123939">those rearing lands</font><br>
<table><tr><td><br><font color="yellow" size=5><b>Plasticine sex-cartoons.</b></font><br>
<font color="#423939">eel harness highest</font><br>
<font color="white" size=3>Absolutely new category of adu1t sites.
</td></tr></table>
<font color="#123939">nobody jets held<br>Northumbria- diamond sleep</font></td></tr></table>
What: Another way of hiding text in an HTML email by placing it in the <title> which is unlikely to be displayed by the email client.
Date added: May 27, 2003
Example from the wild:
<title>dinosaur reptile ghueej egrjerijg gerrg</title>
What: Since many languages separate words with spaces, and since many spam filters do the same this spammer decided that replacing spaces with something else was a good idea.
Date added: May 15, 2003
Example from the wild:
DidAyouFknowNyouMcanBgetVprescriptionVmedications
prescribedTonlineTwith
NORPRIORRPRESCRIPTIONRREQUIRED!
WeZhaveztheXlargestLselectionLofNprescriptionsNavailableZonline!
LowestzPrices -- NextzDayxDelivery
What: Use very small (size 1) font to hide bogus text (see also The Black Hole).
Date added: April 6, 2003
Example from the wild:
(Notice how the spammer didn't follow the instructions and managed to leave the instructions in the spam :-) (This spam also uses Invisible Ink for these words)
<p style="margin-bottom: -20"><font size="1" color="#FFFFFF">Random word of
BIG LETTERS with length 1 to 22 TSUTHRXJKVUVBECP</font></p>
<p style="margin-bottom: -20"><font size="1" color="#FFFFFF">Random word of
small letters with length 1 to 16 uyswdgueoclrwlf</font></p>
<p style="margin-bottom: -20"><font size="1" color="#FFFFFF">Random word of
mixed symbols with length 1 to 27 7y14R484w1m7531X</font></p>
<p style="margin-bottom: -20"><font size="1" color="#FFFFFF">Your text 9, note,
maximum length of tag is 255 symbols</font></p>
<p style="margin-bottom: -20"><font size="1" color="#FFFFFF"></font></p>
What: Use URL username@host syntax to disguise a URL.
Date added: April 6, 2003
Example from the wild:
(this example also use % encoding of the URL to further disguise it)
<a href="http://1011100110010010100101010101010101010010110010100110011000101010
10010101010010101001010010101010100110011010101010010101001010011001010101010101
01011011010011100110@%68%6B%2E%67%65%6F%63%69%74%69%65%73%2E%63%6F%6D/%6C%6F%76%
65%67%69%6C%6C%67%69%6C%6C"><font color="#FFFFFF">Click Here</font></a>
What: Use HTML entities instead of letters
Date added: April 1, 2003
Example from the wild:
Watch Dogs slurp you
ng girls puss
What: Use of font size 0 to break up words with zero width spaces.
Date added: April 1, 2003
Example from the wild:
V<font size=0> </font>i<font size=0> </font>a<font size=0>
</font>g<font size=0> </font>r<font size=0> </font>a
What: Large nonsense words designed to mess up hash based spam identification.
Date added: January 17, 2003
Example from the wild:
crecrephaswukutugucrovazichonuprixisluwephimajoq
What: Replace letters with numbers or use nonsense accents.
Date added: January 17, 2003
Example from the wild:
V1DE0 T4PE M0RTG4GE
Fántástìç -- eárn mõnéy thrôugh unçõlleçted judgments
What: Keep HTML body of email in a Javascript that fires when the email is opened.
Date added: January 17, 2003
Example from the wild:
<HTML><HEAD><SCRIPT LANGUAGE="Javascript"><!-- var Words="%3CHTML%3E%0D%0A%3CHEAD%3E%0D
%0A%3CTITLE%3E%3C/TITLE%3E%0D%0A%3CMETA%20HTTP-EQUIV%3D%22Content-Type%22%20CONTENT
%3D%22text/html%3B%20charset%3DBig5%22%3E%0D%0A%3CMETA%20HTTP-EQUIV%3D%22Expires%22
%20CONTENT%3D%22Sat%2C%201%20Jan%202000%2000%3A00%3A00%20GMT%22%3E%0D%0A%3CMETA%20
HTTP-EQUIV%3D%22Pragma%22%20CONTENT%3D%22no-cache%22%3E%0D%0A%3C/HEAD%3E%0D%0A%3C
FRAMESET%20ROWS%3D%22100%25%2C0%22%20FRAMEBORDER%3DNO%20BORDER%3D%220%22%20
FRAMESPACING%3D0%3E%0D%0A%3CFRAME%20SRC%3D%22
http%3A//203.204.53.231/a1_K_2/e12w_k2/a_w_a_0__2k-1_second%22%20NAME%3D%22A
MENU%22%20SCROLLING%3DAUTO%20MARGINHEIGHT%3D0%20MARGINWIDTH%3D0%3E%0D%0A%3C
FRAME%20SRC%3D%22%22%20SCROLLING%3DNO%20noresize%3E%0D%0A%3C/FRAMESET%3E%0D%0A
%3CNOFRAMES%3E%0D%0A%3C/NOFRAMES%3E%0D%0A%3C/HTML%3E%0D%0A“ function
SetNewWords() { var NewWords; NewWords = unescape(Words); document.write(NewWords);
} SetNewWords(); // --> </SCRIPT> </HEAD> <BODY> </BODY> </HTML>
What: Use URL encoding to hide URLs
Date added: January 17, 2003
Example from the wild:
http://7763631671/obscure.htm
http://0xCeBF9e37/obscure.htm
http://0316.0277.0236.067/obscure.htm
http://3468664375@3468664375/o%62s%63ur%65%2e%68t%6D
February 3, 2004: More possibilities:
%-style: http://%77%77%77%77.3%65%653--%69%6c11%6c%69--3%6c%69%6c%6c.%6f%72%67/
&;-style: http://www.sgc.org/
What: Insert spaces between letters to make words unrecognizable.
Date added: January 17, 2003
Example from the wild:
M O R T G A G E
F*R*E*E V’I’A’G’R’A O*N*L*I*N*E
What: Send two part MIME document, text/plain part contains bogus text, text/html part contains the spam message.
Date added: January 17, 2003
Example from the wild:
------=_NextPart_001_2D3DF_01C29D73.26716240
Content-Type: text/plain;
The modes of letting vacant farms, the duty of supplying buildings and permanent
improvements, and the form in which rent is to be received, have all been carefully
discussed in the older financial treatises. Most of these questions belong to
practical administration, and are, moreover, not of great interest in modern times.
Certain plain rules, may, however, be stated. The claims of successors to the late
tenant should not be overlooked; it is better for the tenure to be continued without
break, and therefore the question of new letting ought rarely to
occur.
------=_NextPart_001_2D3DF_01C29D73.26716240
Content-Type: text/html;
<p><b><font face=Arial>Now is the perfect time to get a mortgage,
and we have a simple and free way for you to get started.</font></b></td>
Update:
September 15, 2003, This trick seems to be getting more common.
What: Use a table to send words through as individual letters arranged top to bottom but read left to right
Date added: January 17, 2003
Example from the wild:
<table cellpadding=0 cellspacing=0 border=0><tr>
<td><table cellspacing=0 cellpadding=0 border=0><tr><td>
<font face="Courier New, Courier, mono" size=2>
<br>U<br> <br>O<br>a<br> <br>D<br>u<br>a
<br> <br>N<br> <br>B<br>d<br> <br>N<br>
<br>C<br> <br>C<br>w<br> <br>1<br> <br>
<br> <br>1<br> <br>C<br>S<br></font></td></tr></table></td>
<td><table cellspacing=0 cellpadding=0 border=0><tr><td><font
face="Courier New, Courier, mono" size=2>
<br> N <br> <br>bta
<br>nd <br> <br>ipl<br>niv<br>nd <br>
<br>o r<br> <br>ach<br>ipl
<br> <br>o o<br> <br>onf<br>
<br>ALL<br>ith<br> <br> -
<br> <br> <br> <br>
- <br> <br>all<br>und<br></font></td></tr></table></td>
<td><table cellspacing=0 cellpadding=0 border=0><tr><td><font
face="Courier New, Courier, mono" size=2>
<br>I V<br> <br>in <br>the
<br> <br>oma<br>ers<br>lif<br> <br>equ
<br> <br>elo<br>oma<br> <br>ne <br>
<br>ide<br> <br> NO<br>in <br>
<br>3 1<br> <br>
<br> <br>2 1<br> <br> 24<br>ays
<br></font></td></tr></table></td>
<td><table cellspacing=0 cellpadding=0 border=0><tr><td><font face="Courier
New, Courier, mono" size=2>
<br> E<br> <br>a <br> a<br>
<br>s <br>it<br>e <br> <br>ir<br> <br>rs<br>s
<br> <br>is<br> <br>nt<br> <br>W
<br>da<br> <br> 2<br> <br> <br>
<br> 2<br> <br> h<br> a<br></font></td></tr></table></td>
Update:
April 24, 2006, Nick FitzGerald reports a Slice and Dice variant that
replaces <br> tags with <div>:
<TABLE>
<TR>
<TD><DIV><STRONG>V</STRONG></DIV><DIV><STRONG>C</STRONG></DIV></TD>
<TD><DIV><STRONG>A</STRONG></DIV><DIV><STRONG>I</STRONG></DIV></TD>
<TD><DIV><STRONG>L</STRONG></DIV><DIV><STRONG>A</STRONG></DIV></TD>
<TD><DIV><STRONG>I</STRONG></DIV><DIV><STRONG>L</STRONG></DIV></TD>
<TD><DIV><STRONG>U</STRONG></DIV><DIV><STRONG>I</STRONG></DIV></TD>
<TD><DIV><STRONG>M</STRONG></DIV><DIV><STRONG>S</STRONG></DIV></TD>
</TR>
</TABLE>
Update:
August 30, 2006, Nick FitzGerald reports another Slice and Dice variant
that uses only <div> tags:
<DIV style="FLOAT:left"><DIV> P</DIV><DIV> L</DIV></DIV>
<DIV style="FLOAT:left"><DIV> r</DIV><DIV> e</DIV></DIV>
<DIV style="FLOAT:left"><DIV> o</DIV><DIV> v</DIV></DIV>
<DIV style="FLOAT:left"><DIV> z</DIV><DIV> i</DIV></DIV>
<DIV style="FLOAT:left"><DIV> a</DIV><DIV> t</DIV></DIV>
<DIV style="FLOAT:left"><DIV> c</DIV><DIV> ra</DIV></DIV>
Update:
July 1, 2007, Nick FitzGerald reports yet another Slice and Dice variant
that uses only <table> tags with <div>:
<TABLE cellPadding=0 cellSpacing=0>
<TR>
<TD class=t2 width=70 height=52>
<DIV align=right>
Via<BR>
Cia<BR>
Meri<BR>
Lipi<BR>
Zuc
</DIV>
</TD>
<TD class=t3 width=70 height=52>
gra<BR>
lis<BR>
dia<BR>
tor<BR>
or
</TD>
<TD class=t3 width=80>
<DIV align=right>
Cial<BR>
Lev<BR>
Pro<BR>
Gluc<BR>
Cari
</DIV>
</TD>
<TD class=t3 width=90>
is Soft<BR>
itra<BR>
pecia<BR>
ophage<BR>
soma
</TD>
<TD class=t3 width=70>
<DIV align=right>
Vali<BR>
Xan<BR>
Amb<BR>
Zol<BR>
Ata
</DIV>
</TD>
<TD class=t4 width=70>
um<BR>
ax<BR>
ien<BR>
oft<BR>
rax
</TD>
</TR>
</TABLE>
What: Split words using HTML comments, pairs of zero width tags, or bogus tags.
Date added: January 17, 2003
Example from the wild:
milli<!-- xe64 -->onaire
Fi</n>nd N</n>ew </n>Fri</n>end</n>s
Vi<b></b>agra
F<XYZ>r<XXYA>ee
September 15, 2003: Another example comes from Tim Peters, this uses a Microsoft-only HTML tag <comment> to insert ignored text into the word Viagra:
Via<comment>6q5r7</comment>gra
What: Insert a piece of current news in a bogus HTML tag.
Date added: January 17, 2003
Example from the wild:
<Despite statements last week from chief U.N. inspector Hans Blix that
full cooperation was expected from Iraq, Iraqi Foreign Minister Naji
Sabri lashed out at the United Nations in a 19-page letter to Secretary-
General Kofi Annan written in Arabic. In it, Sabri repeated previous
claims that Iraq has no weapons of mass destruction and that the inspections
are just a false pretense for the United States and Britain to attack his
country. Sabri assailed U.N. Security Council resolution 1441, adopted
November 8, that called for Iraq to give immediate, unfettered access
to weapons inspectors. Iraq "is being subjected to terrorism for more than
30 years from international and regional powers," he wrote. "And Iraq's under
a daily aggression represented in the terrorism of the U.S. and Britain through
the imposition of the no-fly zones." Iraq has shot at U.S. and British aircraft
repeatedly in the no-fly zones since they were established after the Persian
Gulf War, and coalition aircraft have fired on Iraqi bases in response. In
the most recent action, coalition aircraft struck a mobile radar system
Saturday in the southern no-fly zone, according to the U.S. Central Command.
The Iraqi News Agency said the aircraft fired on civilian and service
facilities. After Iraq fired on U.S. and British planes last week, U.S.
officials said the attacks constituted a "material breach" of Resolution 1441,
which could trigger a meeting of the U.N. Security Council at which the
United States could call for military action against Iraq>
What: Use of white text on a white background containing words designed to confuse a filter.
Date added: January 17, 2003
Example from the wild:
<font color="white" size="-1">search words: suspensory obscure
aristocratical meningorachidian unafeared brahmachari</font>
What: The entire email consists of a small HTML page consisting of an image enclosed in a single hyperlink.
Date added: January 17, 2003
Example from the wild:
<html>
<img src="http://www.your-info-station.com/Sla/chalkboard.gif">
<div><a href="http://www.your-info-station.com/Sla/eb.php?x=52c">
<img src="http://www.your-info-station.com/Sla/pitch.gif">
</a></html>
April 29, 2003: Scott Schram points out that some instances of this are being sent with valid but unrelated text before and after the image.
