funsec mailing list archives
RE: A phish I don't understand.
From: Drsolly <drsollyp () drsolly com>
Date: Wed, 9 Aug 2006 17:35:36 +0100 (BST)
I'll check again next time I get one. On Wed, 9 Aug 2006, Nick FitzGerald wrote:
Drsolly to Alex Eckelberry:What does the html source say?That's the whole point - there wasn't any.Are you really sure of that? I mean, I know you know how to look up such things in whatever MUA you may choose to use, but are you sure that the message as seen in the MUA is really the message as sent by the spamemr? The reason I ask is because at least one of the spam rings (probably associated with Kuvayev) has recently starting pumping lots of spam (including Fifth Third, and other, phish) using a message generator that makes what I think is broken MIME multipart messages. These messages are of the form: <usual headers> Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_006A_01C6BACC.42FC3F00" <more headers> This is a multi-part message in MIME format. ------=_NextPart_000_006A_01C6BACC.42FC3F00 Content-Type: multipart/alternative; boundary="----=_NextPart_001_006B_01C6BACC.42FC3F00" ------=_NextPart_001_006B_01C6BACC.42FC3F00 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable <hash-busting filler> ------=_NextPart_001_006B_01C6BACC.42FC3F00 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=Windows- 1252"> <META content="MSHTML 6.00.2800.1106" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff text=ffffff><FONT face=Arial size=2> <DIV><a href=http://www.53.com.wps.portal.secure.redew.info/context/><IMG alt="" hspace=0 src="cid:006901c6baf6$2bd24700$6c822ecf@5OKXVS4I" align=baseline border=0></a></DIV> <HTML-ized hash-busting filler> </FONT></BODY></HTML> ------=_NextPart_001_006B_01C6BACC.42FC3F00-- ------=_NextPart_000_006A_01C6BACC.42FC3F00 Content-Type: image/png; name="Q55NGW.PNG" Content-Transfer-Encoding: base64 Content-ID: <006901c6baf6$2bd24700$6c822ecf@5OKXVS4I> <Base64'ed image data> ------=_NextPart_000_006A_01C6BACC.42FC3F00-- My (and my MUA's) reading of this MIME structure puts the image "outside" the "scope" of the text/html component of the multipart/alternative component of the main MIME message body (note the image's MIME part boundary identifier is "back" at the "000_006A" level). Thus, my MUA does not render it as the spammer intended, but my MUA has a view mode that allows me to see its intepretation of the component MIME parts and (mostly) to view the contents of those parts. I suspect some less RFC-considerate MUAs (perhaps those made in Redmond and/or dependent on Redmond's HTML rendering engines?) are less fussy and handle this "just fine" (i.e. brokenly, but producing the result the spammers desired). But maybe some MUAs get really confused by it and only show or acknowledge the "outer" (image-only) level?? Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- A phish I don't understand. Drsolly (Aug 08)
- Re: A phish I don't understand. Dude VanWinkle (Aug 08)
- <Possible follow-ups>
- RE: A phish I don't understand. Alex Eckelberry (Aug 08)
- RE: A phish I don't understand. Drsolly (Aug 08)
- Re: RE: A phish I don't understand. Oliver Schneider (Aug 08)
- RE: A phish I don't understand. Nick FitzGerald (Aug 08)
- RE: A phish I don't understand. Drsolly (Aug 09)
- RE: A phish I don't understand. Drsolly (Aug 08)
- Re: RE: A phish I don't understand. Juha-Matti Laurio (Aug 09)
- Re: RE: A phish I don't understand. Drsolly (Aug 09)
- Re: A phish I don't understand. Valdis . Kletnieks (Aug 09)
- Re: A phish I don't understand. der Mouse (Aug 09)
- Re: RE: A phish I don't understand. Drsolly (Aug 09)