How To Circumvent Spam Filters

An interesting piece of spam appeared in my inbox recently. That happens daily, of course, but they’re generally interesting for completely different reasons, such as: 1) managing, despite obvious deficiencies, to avoid gmail’s spam filter; 2) there are people who are so dim-witted that they fall for these scams. But this e-mail was wholly different. It wasn’t offering drugs, to increase my pagerank and sexual appeal, or to handle my bank account for me. In fact, there is no clear evidence that this spam was promoting anything at all, and that’s what makes it so special. See for yourself — the e-mail appears in full at the end of this post.

Let’s examine the possibilities. First of all, the subject “This is done by invoking the method runFinalizersOnExit of the class System with the argument true.” is a line from Sun’s Java documentation. I doubt this was their doing.

On to the content. The line “In our plan we already have our agents at work, weakening their will to fight, ready as well to kill their leaders of war when the time is right.” comes from the book Wing Commander: Fleet Action. This appears to be a very popular book, and you can get it, besides from that website, from Amazon for 46 cents. It seems unlikely that this is a marketing ploy for that.

I investigated the IP addresses of the connecting mail server, but I didn’t notice anything unusual, at least for spam. There are no hits on google for the “sender”, marc Pegu. The domain name of his address was tele2.se, which is sort of the swedish equivalent of comcast. It seems unlikely that one of their users is actually spamming people (especially considering it came from Turkey), which is why I believe the e-mail address is forged.

What does that leave? Well, it could be an attempt to discover whether or not my e-mail address is valid. That hardly seems worth it. They could do the same thing with a real spam. It’s not like they possibly could have guessed the address, anyway.

So, there doesn’t seem to be any reasonable explanation for this e-mail. It does serve as a lesson for all spammers, though. One great way to get past spam filters is by not including any spam content whatsoever.

As promised, here’s the spam in full, except the e-mail addresses, which I’ve censored (including the sender’s, since it might have been forged):

Delivered-To: ***
Received: by 10.78.32.12 with SMTP id f12cs824208huf;
Mon, 30 Apr 2007 12:30:13 -0700 (PDT)
Received: by 10.64.148.8 with SMTP id v8mr12461369qbd.1177961413053;
Mon, 30 Apr 2007 12:30:13 -0700 (PDT)
Return-Path: ***
Received: from ?85.103.22.102? ([85.100.214.148])
by mx.google.com with ESMTP id 20si15872955nzp.2007.04.30.12.30.07;
Mon, 30 Apr 2007 12:30:13 -0700 (PDT)
Received-SPF: fail
Received: by 10.72.142.63 with SMTP id djulLRgYxGWZr;
Mon, 30 Apr 2007 22:30:07 +0300 (GMT)
Received: by 192.168.134.147 with SMTP id lzllfEQHJlJjay.6796365840029;
Mon, 30 Apr 2007 22:30:05 +0300 (GMT)
Message-ID:
From: “marc Pegu” ***
To: ***
Subject: This is done by invoking the method runFinalizersOnExit of the class System with the argument true.
Date: Mon, 30 Apr 2007 22:30:02 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_0003_01C78B77.17FE9D80″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028

——=_NextPart_000_0003_01C78B77.17FE9D80
Content-Type: text/plain;
charset=”iso-8859-9″
Content-Transfer-Encoding: quoted-printable

In our plan we already have our agents at work, weakening their will to fight, ready as well to kill their leaders of war when the time is right.
——=_NextPart_000_0003_01C78B77.17FE9D80
Content-Type: text/html;
charset=”iso-8859-9″
Content-Transfer-Encoding: quoted-printable

In our plan we already have our agents at =
work,=20
weakening their will to fight, ready as well to kill their leaders of =
war when=20
the time is right.

——=_NextPart_000_0003_01C78B77.17FE9D80–

Oh, and the book is pretty good. I just finished it.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: