[funsec] A phish I don't understand.
nick at virus-l.demon.co.uk
Tue Aug 8 22:06:14 CDT 2006
Drsolly to Alex Eckelberry:
> > What does the html source say?
> That's the whole point - there wasn't any.
Are you really sure of that?
I mean, I know you know how to look up such things in whatever MUA you
may choose to use, but are you sure that the message as seen in the MUA
is really the message as sent by the spamemr?
The reason I ask is because at least one of the spam rings (probably
associated with Kuvayev) has recently starting pumping lots of spam
(including Fifth Third, and other, phish) using a message generator
that makes what I think is broken MIME multipart messages. These
messages are of the form:
This is a multi-part message in MIME format.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META http-equiv=Content-Type content="text/html; charset=Windows-
<META content="MSHTML 6.00.2800.1106" name=GENERATOR>
<BODY bgColor=#ffffff text=ffffff><FONT face=Arial size=2>
alt="" hspace=0 src="cid:006901c6baf6$2bd24700$6c822ecf at 5OKXVS4I"
<HTML-ized hash-busting filler>
Content-ID: <006901c6baf6$2bd24700$6c822ecf at 5OKXVS4I>
<Base64'ed image data>
My (and my MUA's) reading of this MIME structure puts the image
"outside" the "scope" of the text/html component of the
multipart/alternative component of the main MIME message body (note the
image's MIME part boundary identifier is "back" at the "000_006A"
level). Thus, my MUA does not render it as the spammer intended, but
my MUA has a view mode that allows me to see its intepretation of the
component MIME parts and (mostly) to view the contents of those parts.
I suspect some less RFC-considerate MUAs (perhaps those made in Redmond
and/or dependent on Redmond's HTML rendering engines?) are less fussy
and handle this "just fine" (i.e. brokenly, but producing the result
the spammers desired). But maybe some MUAs get really confused by it
and only show or acknowledge the "outer" (image-only) level??
More information about the funsec