[funsec] A phish I don't understand.
Drsolly
drsollyp at drsolly.com
Wed Aug 9 11:35:36 CDT 2006
I'll check again next time I get one.
On Wed, 9 Aug 2006, Nick FitzGerald wrote:
> Drsolly to Alex Eckelberry:
>
> > > What does the html source say?
> >
> > That's the whole point - there wasn't any.
>
> Are you really sure of that?
>
> I mean, I know you know how to look up such things in whatever MUA you
> may choose to use, but are you sure that the message as seen in the MUA
> is really the message as sent by the spamemr?
>
> The reason I ask is because at least one of the spam rings (probably
> associated with Kuvayev) has recently starting pumping lots of spam
> (including Fifth Third, and other, phish) using a message generator
> that makes what I think is broken MIME multipart messages. These
> messages are of the form:
>
> <usual headers>
> Content-Type: multipart/related;
> type="multipart/alternative";
> boundary="----=_NextPart_000_006A_01C6BACC.42FC3F00"
> <more headers>
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_006A_01C6BACC.42FC3F00
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_001_006B_01C6BACC.42FC3F00"
>
> ------=_NextPart_001_006B_01C6BACC.42FC3F00
> Content-Type: text/plain;
> charset="Windows-1252"
> Content-Transfer-Encoding: quoted-printable
>
> <hash-busting filler>
>
> ------=_NextPart_001_006B_01C6BACC.42FC3F00
> Content-Type: text/html;
> charset="Windows-1252"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=Content-Type content="text/html; charset=Windows-
> 1252">
> <META content="MSHTML 6.00.2800.1106" name=GENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=#ffffff text=ffffff><FONT face=Arial size=2>
> <DIV><a
> href=http://www.53.com.wps.portal.secure.redew.info/context/><IMG
> alt="" hspace=0 src="cid:006901c6baf6$2bd24700$6c822ecf at 5OKXVS4I"
> align=baseline border=0></a></DIV>
>
> <HTML-ized hash-busting filler>
>
> </FONT></BODY></HTML>
>
> ------=_NextPart_001_006B_01C6BACC.42FC3F00--
>
> ------=_NextPart_000_006A_01C6BACC.42FC3F00
> Content-Type: image/png;
> name="Q55NGW.PNG"
> Content-Transfer-Encoding: base64
> Content-ID: <006901c6baf6$2bd24700$6c822ecf at 5OKXVS4I>
>
> <Base64'ed image data>
>
> ------=_NextPart_000_006A_01C6BACC.42FC3F00--
>
> My (and my MUA's) reading of this MIME structure puts the image
> "outside" the "scope" of the text/html component of the
> multipart/alternative component of the main MIME message body (note the
> image's MIME part boundary identifier is "back" at the "000_006A"
> level). Thus, my MUA does not render it as the spammer intended, but
> my MUA has a view mode that allows me to see its intepretation of the
> component MIME parts and (mostly) to view the contents of those parts.
> I suspect some less RFC-considerate MUAs (perhaps those made in Redmond
> and/or dependent on Redmond's HTML rendering engines?) are less fussy
> and handle this "just fine" (i.e. brokenly, but producing the result
> the spammers desired). But maybe some MUAs get really confused by it
> and only show or acknowledge the "outer" (image-only) level??
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
More information about the funsec
mailing list