[funsec] A phish I don't understand.

Nick FitzGerald nick at virus-l.demon.co.uk
Tue Aug 8 22:06:14 CDT 2006 

Drsolly to Alex Eckelberry:

> > What does the html source say? 
>  
> That's the whole point - there wasn't any.

Are you really sure of that?

I mean, I know you know how to look up such things in whatever MUA you 
may choose to use, but are you sure that the message as seen in the MUA 
is really the message as sent by the spamemr?

The reason I ask is because at least one of the spam rings (probably 
associated with Kuvayev) has recently starting pumping lots of spam 
(including Fifth Third, and other, phish) using a message generator 
that makes what I think is broken MIME multipart messages.  These 
messages are of the form:

   <usual headers>
   Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_006A_01C6BACC.42FC3F00"
   <more headers>

   This is a multi-part message in MIME format.

   ------=_NextPart_000_006A_01C6BACC.42FC3F00
   Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_006B_01C6BACC.42FC3F00"

   ------=_NextPart_001_006B_01C6BACC.42FC3F00
   Content-Type: text/plain;
    charset="Windows-1252"
   Content-Transfer-Encoding: quoted-printable

   <hash-busting filler>

   ------=_NextPart_001_006B_01C6BACC.42FC3F00
   Content-Type: text/html;
    charset="Windows-1252"
   Content-Transfer-Encoding: quoted-printable

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
   <HTML><HEAD>
   <META http-equiv=Content-Type content="text/html; charset=Windows-
   1252">
   <META content="MSHTML 6.00.2800.1106" name=GENERATOR>
   <STYLE></STYLE>
   </HEAD>
   <BODY bgColor=#ffffff text=ffffff><FONT face=Arial size=2>
   <DIV><a 
   href=http://www.53.com.wps.portal.secure.redew.info/context/><IMG  
   alt="" hspace=0 src="cid:006901c6baf6$2bd24700$6c822ecf at 5OKXVS4I" 
   align=baseline border=0></a></DIV>

   <HTML-ized hash-busting filler>

   </FONT></BODY></HTML>

   ------=_NextPart_001_006B_01C6BACC.42FC3F00--

   ------=_NextPart_000_006A_01C6BACC.42FC3F00
   Content-Type: image/png;
    name="Q55NGW.PNG"
   Content-Transfer-Encoding: base64
   Content-ID: <006901c6baf6$2bd24700$6c822ecf at 5OKXVS4I>

   <Base64'ed image data>

   ------=_NextPart_000_006A_01C6BACC.42FC3F00--

My (and my MUA's) reading of this MIME structure puts the image 
"outside" the "scope" of the text/html component of the 
multipart/alternative component of the main MIME message body (note the 
image's MIME part boundary identifier is "back" at the "000_006A" 
level).  Thus, my MUA does not render it as the spammer intended, but 
my MUA has a view mode that allows me to see its intepretation of the 
component MIME parts and (mostly) to view the contents of those parts.  
I suspect some less RFC-considerate MUAs (perhaps those made in Redmond 
and/or dependent on Redmond's HTML rendering engines?) are less fussy 
and handle this "just fine" (i.e. brokenly, but producing the result 
the spammers desired).  But maybe some MUAs get really confused by it 
and only show or acknowledge the "outer" (image-only) level??


Regards,

Nick FitzGerald

More information about the funsec mailing list